UACMe - Defeating Windows User Account Control

Forum for announcements and questions about tools and software.
User avatar
r3shl4k1sh
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Contact:

Re: UACMe - Defeating Windows User Account Control

Post by r3shl4k1sh » Tue Aug 23, 2016 3:26 pm

The following article gives another method to defeat the UAC using environment variables:
http://breakingmalware.com/vulnerabilit ... expansion/

POC:
https://github.com/BreakingMalwareResearch/eleven

User avatar
EP_X0FF
Global Moderator
Posts: 4812
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: UACMe - Defeating Windows User Account Control

Post by EP_X0FF » Wed Nov 23, 2016 5:49 am

Russian "l33t" magazine released paper incorporating this thread

_https://xakep.ru/2016/11/10/fuck-uac/

They have a paid subscription and to read whole article you need to subscrible. Do not pay them any money, fuck them -> read original full story here for free.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4812
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: UACMe - Defeating Windows User Account Control

Post by EP_X0FF » Sun Jan 15, 2017 9:58 am

15007 (presumable, 15002 not checked) bring long awaited changes in the IFileOperation interface. For now attempts to create/copy/move to files in Windows and it subdirectories will result in E_ACCESSDENIED no matter if you do this from faked process or from code injected to the Explorer process. Additionally it seems it is no longer possible to create subdirectories in Windows without having full admin rights. Because IFileOperation is critical to UAC bypass (Middle->High) scheme you may consider every "method" based on it now dead. IFileOperation however still autoelevated which means these changes are special restrictions added to fight UAC bypass.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4812
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: UACMe - Defeating Windows User Account Control

Post by EP_X0FF » Tue Jan 17, 2017 6:22 am

r3shl4k1sh wrote:The following article gives another method to defeat the UAC using environment variables:
http://breakingmalware.com/vulnerabilit ... expansion/

POC:
https://github.com/BreakingMalwareResearch/eleven
Comet embedded into UACMe as method 24, well lets see if MS will finally discover and fix it. All credits to original authors.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4812
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: UACMe - Defeating Windows User Account Control

Post by EP_X0FF » Wed Jan 18, 2017 7:48 am

Enigma0x3 method integrated as #25, more information about this simple and cute method can be found here https://enigma0x3.net/2016/08/15/filele ... hijacking/. It is already used by script-kiddie malware ITW. Also this method was "tweaked" to work on 15007 rs2 build which introduced Microsoft failed attempt to fix it.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4812
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: UACMe - Defeating Windows User Account Control

Post by EP_X0FF » Wed Jan 18, 2017 4:27 pm

EP_X0FF wrote:15007 (presumable, 15002 not checked) bring long awaited changes in the IFileOperation interface. For now attempts to create/copy/move to files in Windows and it subdirectories will result in E_ACCESSDENIED no matter if you do this from faked process or from code injected to the Explorer process. Additionally it seems it is no longer possible to create subdirectories in Windows without having full admin rights. Because IFileOperation is critical to UAC bypass (Middle->High) scheme you may consider every "method" based on it now dead. IFileOperation however still autoelevated which means these changes are special restrictions added to fight UAC bypass.

Updated UACMe with working again 20, 21, 22, 23 methods will be published tomorrow. It turned I overestimated Microsoft changes.

Edit: UACMe updated and now able deliver again.
Last edited by EP_X0FF on Thu Jan 19, 2017 7:00 am, edited 1 time in total.
Reason: edit
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4812
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: UACMe - Defeating Windows User Account Control

Post by EP_X0FF » Tue Feb 07, 2017 5:40 pm

Enigma0x3 DiskCleanup method integrated in UACMe as #26. Works on Windows 10 only.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4812
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: UACMe - Defeating Windows User Account Control

Post by EP_X0FF » Wed Feb 08, 2017 12:25 pm

Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4812
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: UACMe - Defeating Windows User Account Control

Post by EP_X0FF » Thu Feb 09, 2017 6:09 am

Microsoft changed CompMgmtLauncher.exe in RS2 build 15031 by dropping it autoelevation and requestedExecutionLevel to asInvoker thus effectively kill Comet and Enigma0x3 UAC bypasses.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4812
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: UACMe - Defeating Windows User Account Control

Post by EP_X0FF » Thu Feb 09, 2017 7:00 am

Additionally cleanmgr.exe now sets file "Read" security permission for current user when it copy dismhost related files to %temp%. With this change it is now impossible to overwrite these files without elevation (IFileOperation), thus killing Enigma0x3 method main advantage -> when you was able to bypass UAC silently even with "AlwaysNotify" setting.
Ring0 - the source of inspiration

Post Reply