A security researcher from Tenable, Inc. recently discovered that it is possible to bypass Windows’ User Account Control (UAC) by spoofing the execution path of a file in a trusted directory.
Although Microsoft doesn’t consider UAC a security boundary, the feature still brings additional security benefits. UAC alerts users in the Administrators group when a program attempts to run with elevated privileges, so that the user can confirm the action.
However, the UAC prompt does not appear for all administrative executables on Windows, as some programs can auto-elevate, thus bypassing UAC. However, Windows has a series of additional security checks in place to ensure that only a select group of trusted executables can auto-elevate.
Even so, the approach can be abused to bypass UAC, and Tenable’s David Wells recently discovered a new technique that leverages this functionality to ensure that no UAC prompt is displayed when a rogue executable runs.
Executables that can auto-elevate need to be already configured for auto-elevation (in which case an “autoElevate” key exists for that file), to be properly signed, and to run from a Trusted Directory, such as “C:WindowsSystem32,” the security researcher explains.
The researcher discovered that, in one of the checks it performs to ensure the executable can auto-elevate, Appinfo.dll (AIS) calls the RtlPrefixUnicodeString API and verifies that the target executable path begins with “C:WindowsSystem32.”
He was able to create a directory called “C:Windows ” (it has a space after “Windows”) by using the CreateDirectory API and prepending a “\?” to the directory name (to bypass naming filter rules in Windows) and then created a “System32” directory in it.
Next, he copied a signed, auto elevating executable from the real “C:WindowsSystem32”, and, by analyzing the manner in which Windows handles its execution, discovered that no UAC prompt is triggered.
When “C:Windows System32winSAT.exe” is executed, Appinfo.dll passes it to the GetLongPathNameW API, which converts it back to “C:WindowsSystem32winSAT.exe,” removing the additional space after Windows. Next, the trusted directory checks are performed against this converted string.
“The beauty is that after the trusted directory check is done with this converted path string, it is then freed, and rest of checks (and final elevated execution request) are done with the original executable path name (with the trailing space). This allows all other checks to pass and results in appinfo.dll spawning my winSAT.exe copy as auto elevated (since it is both properly signed and whitelisted for auto elevation),” the researcher notes.
The researcher also notes that he was able to elevate attacker code by dropping a fake WINMM.dll (imported by winSAT.exe) in the spoofed “C:WindowsSystem32” directory, for a local dll hijack. The researcher also published proof-of-concept code for this UAC bypass technique.