Solved

Mitigation for Win 10 user account bypass

Posted on 2016-07-28
8
81 Views
Last Modified: 2016-07-31
https://www.helpnetsecurity.com/2016/07/26/user-account-control-bypass/

How can we mitigate or work around the above?
0
Comment
Question by:sunhux
8 Comments
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 170 total points
ID: 41732885
I analysed that and I cannot even confirm any form of danger.
1) I started the task and monitored the %temp% folder using NTFS auditing - nothing gets written into it!
2) I looked at the task and it executes as weak user. "run with elevated/high integrity privileges" does not mean, the task is running like that, but only that it may run like that if the user executing it is an administrator.
So unless these researchers have totally different win10 systems than I have, their assumptions are plain wrong. Surely, it may be that the process cleanmgr.exe does indeed load dlls without verifying those, but
A not with high privileges
B not from the folder they indicate it does.
C if so, nothing is won. If the attacker may write files to user directories, he already has the same privileges as the user and is acting in his name.

I see no problem at all.
0
 
LVL 12

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 100 total points
ID: 41733086
You can test with their code to confirm the problem.  But it's honestly no different than the thousand other ways viruses get planted into a system, and you likely need to be infected already in order for something to execute that dll swap.

Short answer is disable the task.  But, I'd imagine despite Windows not adding an OS patch to it (I agree with why), a listener may show up in Win Defender or in other AV's active protection fairly soon.
0
 
LVL 61

Accepted Solution

by:
btan earned 150 total points
ID: 41733195
The mean is to prevent the infection to be even be successful...and detected early as possible and not rely solely on AV or HIPS only. We must ask ourselves if those baseline is bypass including the UAC, AV and HIPS, what other layer of defence still exist to block the infection attempts.
- Fundamental readily patch as usual as nothing beats closing up the holes available to be exploit
- application whitelisting using cryptoprevent or applocker or SecureAPlus to restrict only few s/w to run
- run another exploit watch dog like EMET to minimally deter the infection from going further where it attempts to skip UAC and ASLR and activate the Return-oriented exploit codes gadgets
- check for dll hijacking attempts (supposedly HIPS should handle that)
I have been experimenting with a new methodology (well, at least it's new to me!) for detecting active attacks of this nature on vulnerable systems, and have written a program which does the following:

-Iterate through each running process on the system, identifying all the DLLs which they have loaded
-For each DLL, inspect all the locations where a malicious DLL could be placed
-If a DLL with the same name appears in multiple locations in the search order, perform an analysis based on which location is currently loaded and highlight the possibility of a hijack to the user
-Additionally: Check each DLL to see whether it has been digitally signed, and give the user the option to ignore all signed DLLs
https://digital-forensics.sans.org/blog/2015/03/25/detecting-dll-hijacking-on-windows/ to prevent any appls load a malicious library (allowing for the execution of arbitrary code) that is placed a at a preferential location as dictated by the Dynamic-Link Library Search Order which is a pre-defined standard on how Microsoft Windows searches for a DLL when the path has not been specified by the developer.
- disable unnecessary services like Powerscript, WMI, python based or macro based in Document appls, end user do not really need those to work and likely it is used for administrative patch but go based on Windows push update instead of running batch job with script.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 170 total points
ID: 41733306
@Dustin: sorry, but it never even works here, not at work, nor at home, not as restricted user, not as administrator, not even elevated.
Invoke-UACBypass -DllPath C:\Users\Me\Desktop\viasetup.dll -Verbose
VERBOSE: SilentCleanup task executed successfully. Message: SUCCESS: Attempted to run the scheduled task "\Microsoft\Windows\DiskCleanup\SilentCleanup".
Invoke-UACBypass : UAC bypass failed. The DLL was not planted in its target.
At line:1 char:1
+ Invoke-UACBypass -DllPath C:\Users\Me\Desktop\viasetup.dll -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-UACBypass

Open in new window

And even if: what it does is execute code with the highest privs a user could get. So if your user is a restricted user, so what? if he's an admin, why does he execute such code? He should know better.
I see the meaning of the exploit, sure it's something, but A it does not work here and B I would not care if it does. UAC is not meant to protect me, it never was. Quote Microsoft:
A weakness that would allow to bypass the “Consent Prompt” is not considered a security vulnerability, since that is not considered a security boundary.
(source: https://msdn.microsoft.com/en-us/library/cc751383.aspx )
0
 
LVL 12

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 100 total points
ID: 41733331
PS C:\Users\dustin> Invoke-UACBypass -DllPath C:\test\fake.dll -Verbose
VERBOSE: SilentCleanup task executed successfully. Message: SUCCESS: Attempted to run the scheduled task "\Microsoft\Windows\DiskCleanup\SilentCleanup".
VERBOSE: DismHost folder created in c:\users\dustin\appdata\local\temp\fe314b08-f309-454b-8b93-f9815ec653af
VERBOSE: C:\test\fake.dll to c:\users\dustin\appdata\local\temp\fe314b08-f309-454b-8b93-f9815ec653af\LogProvider.dll
VERBOSE: UAC bypass was successful!

Open in new window


Confirmed on my system.  Maybe you have AV interfering or something.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41733338
No AV but defender. SRP and applocker deactivated for the test.
Deactivated defender - no change.
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 80 total points
ID: 41733561
@McKnife, the DLL you use has to match the architecture of the exploited DLL.

This particular issue, as mentioned, is only a problem when the logged in user has Administrative privileges. It won't work with a non-privileged user, because those users don't have permission to overwrite the .dll file in question (which is required for this to work).

That said, the easy fix for this problem is to disable or remove the scheduled task. The task is there to automate system disk cleanup, and that isn't really necessary. If you're really worried about this issue, just shut down the task. You should be able to do so with Group Policy Preferences.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 170 total points
ID: 41733768
@acbrown2010
No, I tried both architectures, no difference. Maybe it is language aware (=badly coded ;-) and will only work on native en-us systems?

@sunhux
Whatever, the point should have become clear: the task does no magic, no user is turned to malicious admin here. And to exploit an admin, well, if you make him execute your code is already too much, so we can conclude this is not too dangerous. If you think you can do without that task, disable it. It is not needed if you have no disk space problems, so disable it.
0

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now