i UAC BYPASS VIA DOTNET PROFILER ON WINDOWS 10 – All things in moderation

UAC BYPASS VIA DOTNET PROFILER ON WINDOWS 10

In the previous post, we know how to use Registry Hijacking to bypass UAC on Windows 10. Today, we continue to do that with different technique with DotNet Profiler.

WHAT IS UAC ?

We have mentioned UAC in the previous post, so we just review some other information here.

User Account Control or UAC is a security feature of Windows which helps prevent unauthorized changes to the operating system.

When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges.

When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start apps that do not perform administrative tasks (standard user apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token.

DotNet

DotNet is a software framework developed by Microsoft that runs primarily on Microsoft Windows. Programs written for .NET Framework execute in a software environment (in contrast to a hardware environment) named the Common Language Runtime (CLR). The CLR is an application virtual machine that provides services such as security, memory management, and exception handling

From DotNet 4, it provide profiler to monitor the execution of DotNet applications. When an application runs, a profiler (a DLL file) is loaded by CLR to interact with CLR by using profiling API.

CLR profiler is defined in Environment variables:

COR_ENABLE_PROFILING=1

COR_PROFILER={CLSID of profiler}

COR_PROFILER_PATH=full path of the profiler DLL

bypass_uac_dotnet

{CLSID of profiler} is a key resides in HKEY_CLASSES_ROOT\CLSID\

bypass_uac_dotnet

HKEY_CLASSES_ROOT\CLSID is the combined key of HKEY_LOCAL_MACHINE\Software\Classes\CLSID and HKEY_CURRENT_USER\Software\Classes\CLSID.

Remember that we can write any key in HKEY_CURRENT_USER without Admin’s privileges.

ANALYSIS

Because CLR load defined profiler at DotNet application’s runtime, so all we have to do is define a profiler that comes with an “evil” DLL and run any DotNet application.

Remember that profiler’s privileges are the same with the application, so if an application is run by Admin, the profiler will get Admin’s privileges.

1/ Makeing a dll to use as profiler:

Profiler DLL source code: <dllmain.cpp>

Profiler DLL Compiled for x64 DotNet 4: <test.dll>

2/ Sign profiler:

Command lines:

setx COR_ENABLE_PROFILING 1
setx COR_PROFILER “{SOME_CLSID}”
setx COR_PROFILER_PATH “PATH_TO_DLL”

3/ Execute a DotNet application that uses auto-elevate mechanism:

Run any .msc file that is signed by Microsoft to make mmc.exe trigger auto-elevate mechanism

Command line:

azman.msc

Download link Git: https://github.com/hydrasky-team/bypass_uac_via_dotnet_profiler

And one more thing like usual, this vulnerability is not fix until I finish this article.

POC VIDEO

 

Leave a Reply