Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Mitigation for Win 10 user account bypass

Posted on 2016-07-28
8
Medium Priority
?
154 Views
Last Modified: 2016-07-31
https://www.helpnetsecurity.com/2016/07/26/user-account-control-bypass/

How can we mitigate or work around the above?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 680 total points
ID: 41732885
I analysed that and I cannot even confirm any form of danger.
1) I started the task and monitored the %temp% folder using NTFS auditing - nothing gets written into it!
2) I looked at the task and it executes as weak user. "run with elevated/high integrity privileges" does not mean, the task is running like that, but only that it may run like that if the user executing it is an administrator.
So unless these researchers have totally different win10 systems than I have, their assumptions are plain wrong. Surely, it may be that the process cleanmgr.exe does indeed load dlls without verifying those, but
A not with high privileges
B not from the folder they indicate it does.
C if so, nothing is won. If the attacker may write files to user directories, he already has the same privileges as the user and is acting in his name.

I see no problem at all.
0
 
LVL 13

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 400 total points
ID: 41733086
You can test with their code to confirm the problem.  But it's honestly no different than the thousand other ways viruses get planted into a system, and you likely need to be infected already in order for something to execute that dll swap.

Short answer is disable the task.  But, I'd imagine despite Windows not adding an OS patch to it (I agree with why), a listener may show up in Win Defender or in other AV's active protection fairly soon.
0
 
LVL 65

Accepted Solution

by:
btan earned 600 total points
ID: 41733195
The mean is to prevent the infection to be even be successful...and detected early as possible and not rely solely on AV or HIPS only. We must ask ourselves if those baseline is bypass including the UAC, AV and HIPS, what other layer of defence still exist to block the infection attempts.
- Fundamental readily patch as usual as nothing beats closing up the holes available to be exploit
- application whitelisting using cryptoprevent or applocker or SecureAPlus to restrict only few s/w to run
- run another exploit watch dog like EMET to minimally deter the infection from going further where it attempts to skip UAC and ASLR and activate the Return-oriented exploit codes gadgets
- check for dll hijacking attempts (supposedly HIPS should handle that)
I have been experimenting with a new methodology (well, at least it's new to me!) for detecting active attacks of this nature on vulnerable systems, and have written a program which does the following:

-Iterate through each running process on the system, identifying all the DLLs which they have loaded
-For each DLL, inspect all the locations where a malicious DLL could be placed
-If a DLL with the same name appears in multiple locations in the search order, perform an analysis based on which location is currently loaded and highlight the possibility of a hijack to the user
-Additionally: Check each DLL to see whether it has been digitally signed, and give the user the option to ignore all signed DLLs
https://digital-forensics.sans.org/blog/2015/03/25/detecting-dll-hijacking-on-windows/ to prevent any appls load a malicious library (allowing for the execution of arbitrary code) that is placed a at a preferential location as dictated by the Dynamic-Link Library Search Order which is a pre-defined standard on how Microsoft Windows searches for a DLL when the path has not been specified by the developer.
- disable unnecessary services like Powerscript, WMI, python based or macro based in Document appls, end user do not really need those to work and likely it is used for administrative patch but go based on Windows push update instead of running batch job with script.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 680 total points
ID: 41733306
@Dustin: sorry, but it never even works here, not at work, nor at home, not as restricted user, not as administrator, not even elevated.
Invoke-UACBypass -DllPath C:\Users\Me\Desktop\viasetup.dll -Verbose
VERBOSE: SilentCleanup task executed successfully. Message: SUCCESS: Attempted to run the scheduled task "\Microsoft\Windows\DiskCleanup\SilentCleanup".
Invoke-UACBypass : UAC bypass failed. The DLL was not planted in its target.
At line:1 char:1
+ Invoke-UACBypass -DllPath C:\Users\Me\Desktop\viasetup.dll -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-UACBypass

Open in new window

And even if: what it does is execute code with the highest privs a user could get. So if your user is a restricted user, so what? if he's an admin, why does he execute such code? He should know better.
I see the meaning of the exploit, sure it's something, but A it does not work here and B I would not care if it does. UAC is not meant to protect me, it never was. Quote Microsoft:
A weakness that would allow to bypass the “Consent Prompt” is not considered a security vulnerability, since that is not considered a security boundary.
(source: https://msdn.microsoft.com/en-us/library/cc751383.aspx )
0
 
LVL 13

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 400 total points
ID: 41733331
PS C:\Users\dustin> Invoke-UACBypass -DllPath C:\test\fake.dll -Verbose
VERBOSE: SilentCleanup task executed successfully. Message: SUCCESS: Attempted to run the scheduled task "\Microsoft\Windows\DiskCleanup\SilentCleanup".
VERBOSE: DismHost folder created in c:\users\dustin\appdata\local\temp\fe314b08-f309-454b-8b93-f9815ec653af
VERBOSE: C:\test\fake.dll to c:\users\dustin\appdata\local\temp\fe314b08-f309-454b-8b93-f9815ec653af\LogProvider.dll
VERBOSE: UAC bypass was successful!

Open in new window


Confirmed on my system.  Maybe you have AV interfering or something.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41733338
No AV but defender. SRP and applocker deactivated for the test.
Deactivated defender - no change.
0
 
LVL 42

Assisted Solution

by:Adam Brown
Adam Brown earned 320 total points
ID: 41733561
@McKnife, the DLL you use has to match the architecture of the exploited DLL.

This particular issue, as mentioned, is only a problem when the logged in user has Administrative privileges. It won't work with a non-privileged user, because those users don't have permission to overwrite the .dll file in question (which is required for this to work).

That said, the easy fix for this problem is to disable or remove the scheduled task. The task is there to automate system disk cleanup, and that isn't really necessary. If you're really worried about this issue, just shut down the task. You should be able to do so with Group Policy Preferences.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 680 total points
ID: 41733768
@acbrown2010
No, I tried both architectures, no difference. Maybe it is language aware (=badly coded ;-) and will only work on native en-us systems?

@sunhux
Whatever, the point should have become clear: the task does no magic, no user is turned to malicious admin here. And to exploit an admin, well, if you make him execute your code is already too much, so we can conclude this is not too dangerous. If you think you can do without that task, disable it. It is not needed if you have no disk space problems, so disable it.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows 10 Creator Update has just been released and I have it working very well on my laptop. Read below for issues, fixes and ideas.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question