Windows Event Viewer Abused to Bypass UAC on Windows 7 and Windows 10

[Batu69]

Researchers discover new fileless UAC bypass technique

The Event Viewer built-in Windows application can be abused in a way to allow crooks to bypass the Windows User Access Control (UAC) security feature on Windows 7 and Windows 10.

Responsible for discovering this trick are security researchers Matt Nelson and Matt Graeber, who at the end of July have detailed another Windows UAC bypass that used the Windows 10 Disk Cleanup utility.

The difference between their latest bypass and the one from the end of July is in the technique.

Latest UAC bypass does not rely on files stored on disk

The first one, using Disk Cleanup, involved the researchers using a high-privileged process to copy a DLL into an unsafe location, which they used in a DLL hijacking attack that didn't get flagged by UAC.

For the bypass they presented today, the two researchers put together a method that didn't require dropping any malicious DLL on the file system and didn't utilzie any process injection (DLL hijacking).

This fileless UAC bypass required the researchers to create a structure of intertwined Windows registry keys, which would end up being queried by the Event Viewer process (eventvwr.exe), triggering a masked operation from a high integrity process like Event Viewer, which UAC would allow through, considering it a harmless operation.

There's a way to prevent these types of UAC bypass attacks

According to the two researchers, this is a unique, never-before-seen UAC bypass. All previous UAC bypass techniques relied on process hijacking, privileged file copy, or dropping files on the user's PC.

"This particular technique can be remediated or fixed by setting the UAC level to “Always Notify” or by removing the current user from the Local Administrators group," Nelson writes.

"Further, if you would like to monitor for this attack, you could utilize methods/signatures to look for and alert on new registry entries in HKCUSoftwareClasses," which is one of the key places in the aforementioned intertwined registry structure.

Microsoft doesn't consider UAC a true security feature, but malware developers prefer not to take any chances and often include UAC bypasses in their code to avoid getting their malware stuck in a UAC prompt.

Article source

[Petrovic]

Windows' User Account Control (UAC) feature was designed to help keep computers safe from malicious software installations, but there are already at least a couple of ways to bypass it. A new technique for circumventing UAC not only makes it possible to execute commands on a computer, but to do so without leaving a single trace.

 

Security researchers Matt Nelson and Matt Graeber discovered the vulnerability and developed a proof-of-concept exploit. The pair tested the exploit on Windows 7 and Windows 10, but say that the technique can be used to bypass security on any version of Windows that uses UAC.

 

While the vulnerability does require an attacker to already have access to a computer in order to exploit it, it is a concern nonetheless. Speaking to Threatpost, Nelson said: "This attack simply allows an admin user to execute code in a high-integrity context without requiring the user to ‘approve’ the administrative action via the pop-up. It essentially removes the restrictions an attacker has when running under the context of a local administrator".

 

The attack -- which is detailed on Nelson's website -- makes use of the Event Viewer (eventvwr.exe) to hijack a registry process to launch Powershell. This can then be used to execute arbitrary code. The researcher says that he has informed Microsoft about the vulnerability but was told that UAC bypasses are not considered important enough to warrant a Patch Tuesday fix. In a statement Microsoft said:

Quote

Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. If we determine there is an issue, we will take the necessary steps to help protect customers.

 

Nelson says that it is possible to protect against the threat:

Quote

This particular technique can be remediated or fixed by setting the UAC level to "Always Notify" or by removing the current user from the Local Administrators group. Further, if you would like to monitor for this attack, you could utilize methods/signatures to look for and alert on new registry entries in HKCU\Software\Classes\.

 

1.However, he also warns that the exploit is different to others that are publicly known for a number of reasons:

This technique does not require dropping a traditional file to the file system. Most (if not all) public UAC bypasses currently require dropping a file (typically a DLL) to the file system. Doing so increases the risk of the attacker getting caught. Since this technique doesn’t drop a traditional file, that extra risk to the attacker is mitigated.

2.This technique does not require any process injection, meaning the attack won’t get flagged by security solutions that monitor for this type of behavior.

There is no privileged file copy required. Most UAC bypasses require some sort of privileged file copy in order to get a malicious DLL into a secure location to setup a DLL hijack. 3.Since it is possible to replace what executable “eventvwr.exe” starts to load the required Snap-in, it is possible to simply use an existing, trusted Microsoft binary to execute code in memory instead.

Article source

[Jogs]

I always believed UAC could be bypassed, had a lot of arguments on this. Personally I don't use UAC, but I don't advise others to do this. 
 

[SPECTRUM]

UAC can be bypassed easily with a programmed taks, but you should have access to the machine first to create the task.

 

anyway UAC was never created to protect system, is just to deal with layer 8 users, users that execute files without having idea what it is and what it does.

[steven36]

3 minutes ago, Jogs said:

I always believed UAC could be bypassed, had a lot of arguments on this. Personally I don't use UAC, but I don't advise others to do this. 
 

In Windows 8 or Windows 10 VM  wont run without UAC  ..If you dont use UAC  there's nothing to bypass meaning  it's even easier for something to install something bad on you're machine .

[straycat19]

Quote

UAC vulnerability in Windows 7 and Windows 10 allows for traceless code execution

 

I find it ironic that Microsoft was trying to get users off Windows 7 because Windows 10 is more secure but in the end it has the same faults (and maybe more ) than Windows 7.

[Batu69]

Thread has been merged.

[steven36]

50 minutes ago, straycat19 said:

 

I find it ironic that Microsoft was trying to get users off Windows 7 because Windows 10 is more secure but in the end it has the same faults (and maybe more ) than Windows 7.

Microsoft  didn't write this  its a story wrote based on some researchers findings in a lab environment not real life . I been using UAC since 2013  with no problems with it what so ever i dont find things installed on my pc i dont want .  

 

Everyday they find something wrong with something.  ether you turn uac all the way up if you're paranoid or you don't . Every day you read were some noobs click on ransomware and infect themselves,,  now this is real life  and its never been a problem for me . It just depends on you're skills i guess  . Tell its a problem for people in the wild it's not a problem at all  yet.

 

Every month Google pay 1000s  of dollars to patch stuff that's never been exploded in the wild . And every month new 0days  show up that are being exploited in the wild  so there paying to be exploited is not really worth a hill of beans . Don't fear the fear that feeds you. No one can prove something that was patched before it was exploded in the wild  really made any difference . Prevention has always been the best medicine  not a cure . Because many things never have a real cure ever.