A researcher has come up with a Windows UAC bypass method that allows malicious apps to evade security checks. This technique involves DLL hijacking by creating mock directories.
Windows UAC Bypass Method
Describing the details in a blog post, the researcher Daniel Gebert has shared a detailed Windows UAC bypass method. The technique briefly involves creating mock folders and DLL hijacking.
Windows User Account Control (UAC) is a security check feature that alerts users upon various instances. That is, it generates alert windows when a malicious, unwanted, untrusted, or an otherwise high-risk app attempts to run on the device. Or, when an app asks permission to run with elevated privileges.
Nonetheless, it permits some trusted DLLs under “C:\Windows\System32\” to execute with elevated privileges without displaying any alert.
Hence, Gerbert found that exploiting this feature with DLL hijacking can allow bypassing the Windows 10 UAC. For this, creating mock directories (directories with names similar to the legit ones) can help.
For example, Gerbert, in his demonstration, created mock “C:\Windows \System32” (note that the actual directory name has no space between “C:\Windows” and “\System32”).
Then, following the approach of Wietze Beukema (who shared a similar exploit earlier along with a list of 300 executables vulnerable to DLL hijacking), Gerbert found more vulnerable executables.
Moreover, Gerbert’s work demonstrates ease of exploit as it involves no rewriting of DLLs (unlike the work of Beukema). Rather he could simply use a template from GitHub and add a payload to it to execute the attack.
Details of the attack strategy are available in Gerbert’s blog post. Whereas, the following video demonstrates the PoC.
Recommended Mitigation
According to Gerbert, possible mitigation of such attacks is to set the UAC alert level to the highest.
Usually, the Windows 10 UAC settings are adjusted to a moderately secure level. At this level, UAC will not notify whenever the user (especially one with admin access) makes any changes to Windows settings. Rather it would only notify whenever any app makes such an attempt.
However, setting up the security to the highest level will also let UAC generate alerts whenever the user makes changes.
Non-enterprise end-users who frequently visit various trusted and untrusted websites should use this setting.
To change these settings, simply follow this path: Control Panel > System and Security > Security and Maintenance > Change User Account Control Settings. Give permission to the program to execute, and then move the security bar to the top level (as shown below).
Let us know your thoughts in the comments.
