i UAC Bypass Via Registry Hijacking on Windows 10 – All things in moderation

UAC Bypass Via Registry Hijacking on Windows 10

In the previous post, we know how to use Dll Hijacking to load our “desire code” into memory with WPF Applications on Windows 10. Today, we are going to try to bypass UAC via registry hijacking.

WHAT IS UAC ?

The following diagram details the UAC architecture.

uac_bypass_win10

User Account Control (UAC) is a fundamental component of Microsoft’s overall security vision. UAC helps mitigate the impact of malware.

Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.

UAC was developed by Microsoft to limit the privileges of users on the Administrators Group, that is, only use administrative rights when necessary.

UAC uses the token mechanism, when the user logs in, the system will provide two tokens to the user, one token determines the rights to use all the rights of normal users, the remaining token will determine the rights of the user administration.

Starting with Windows Vista, when a process requires higher permissions, or using run as, the system will display a UAC menu, if Yes, the process will use the token with administrator rights and continue.

Therefore, UAC is the first wall we have to cross if we want to deploy some unusual things on the computer.

REGISTRY

A central hierarchical database used in Microsoft Windows 98, Windows CE, Windows NT, and Windows 2000 used to store information that is necessary to configure the system for one or more users, applications and hardware devices.

The Registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can create, property sheet settings for folders and application icons, what hardware exists on the system, and the ports that are being used.

The Registry replaces most of the text-based .ini files that are used in Windows 3.x and MS-DOS configuration files, such as the Autoexec.bat and Config.sys. Although the Registry is common to several Windows operating systems, there are some differences among them.

ANALYSIS

Every time the user changes the settings in the system, the menu UAC will appear once, making the number of occurrences annoying the user.

By Windows 7, Microsoft uses a default mode where when users change the system settings through programs located in % SystemRoot% (C: \ Windows) and are marked by Microsoft, the UAC selection panel will not appear. This mechanism is called auto-elevate.

To find programs with auto-elevate mechanism:

strings.exe C: \ Windows \ System32 \ *. * | findstr / i autoelevate

Starting with Windows 10 version 10240, Microsoft added fodhelper.exe to the Windows installation toolkit, which customizes external functions such as keyboards, etc.

fodhelper.exe has an auto-elevate mechanism.

fodhelper.exe upon launch has HKCU\Software\Classes\ms-settings\shell\open\command key checked but not found so it checks at HKCR\ms-settings\shell\open\command:

bypass_UAC_Windows

HKCR\ms-settings\shell\open\command Key

bypass_UAC_windows_3

We see this key has 2 values:

default = NULL
DelegateExecute = {4ed3a791-cea8-4bd9-910d-e252f997afc2}

{4ed3a791-cea8-4bd9-910d-e252f997afc2} Key will define  twinui.dll file:

bypass_UAC_windows_4

Check back during the launch process of  fodhelper.exe, the twinui.dll file has loaded into memory:

bypass_UAC_windows_5

So the value in DelegateExecute will refer to a dll library file, and fodhelper.exe will load that dll library.

We put DelegateExecution value for the key

HKCU\Software\Classes\ms-settings\shell\open\command to fodhelper.exe load our dll with our execute code into memory instead of using default dll in HKCR\ms-settings\shell\open\command 

  1. Create DLL
    Profiler DLL source code: <dllmain.cpp>
    Profiler DLL Compiled for x64 DotNet 4: <test.dll>
  2. Create {CLSID} key with the directory to our dll:Because HKCR\CLSID is the root of HKCU\Software\Classes\CLSID and HKLM\Software\Classes\CLSID, so if we create a key in HKCU\Software\Classes\CLSID that is the same with HKCR.

    .reg file: <delegate_HKCU.reg>
    cmd:
    REG IMPORT delegate.reg

  3. Put the value of HKCU\Software\Classes\ms-settings\shell\open\command\DelegateExecute with {CLSID} that we have just created:.reg file: <add_shell_delegate.reg>
    cmd:
    REG IMPORT add_shell_delegate.reg
  4. Run fodhelper.exe to load our dll:cmd:
    fodhelper.exe

 

Download link Git: https://github.com/hydrasky-team/bypass_uac_via_registry_hijacking

And of course, this vulnerability is not fix until I finish this article.

POC VIDEO

 

Leave a Reply