A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #29609  by EP_X0FF
 Wed Nov 23, 2016 5:49 am
Russian "l33t" magazine released paper incorporating this thread

_https://xakep.ru/2016/11/10/fuck-uac/

They have a paid subscription and to read whole article you need to subscrible. Do not pay them any money, fuck them -> read original full story here for free.
 #29859  by EP_X0FF
 Sun Jan 15, 2017 9:58 am
15007 (presumable, 15002 not checked) bring long awaited changes in the IFileOperation interface. For now attempts to create/copy/move to files in Windows and it subdirectories will result in E_ACCESSDENIED no matter if you do this from faked process or from code injected to the Explorer process. Additionally it seems it is no longer possible to create subdirectories in Windows without having full admin rights. Because IFileOperation is critical to UAC bypass (Middle->High) scheme you may consider every "method" based on it now dead. IFileOperation however still autoelevated which means these changes are special restrictions added to fight UAC bypass.
 #29867  by EP_X0FF
 Tue Jan 17, 2017 6:22 am
r3shl4k1sh wrote:The following article gives another method to defeat the UAC using environment variables:
http://breakingmalware.com/vulnerabilit ... expansion/

POC:
https://github.com/BreakingMalwareResearch/eleven
Comet embedded into UACMe as method 24, well lets see if MS will finally discover and fix it. All credits to original authors.
 #29869  by EP_X0FF
 Wed Jan 18, 2017 7:48 am
Enigma0x3 method integrated as #25, more information about this simple and cute method can be found here https://enigma0x3.net/2016/08/15/filele ... hijacking/. It is already used by script-kiddie malware ITW. Also this method was "tweaked" to work on 15007 rs2 build which introduced Microsoft failed attempt to fix it.
 #29870  by EP_X0FF
 Wed Jan 18, 2017 4:27 pm
EP_X0FF wrote:15007 (presumable, 15002 not checked) bring long awaited changes in the IFileOperation interface. For now attempts to create/copy/move to files in Windows and it subdirectories will result in E_ACCESSDENIED no matter if you do this from faked process or from code injected to the Explorer process. Additionally it seems it is no longer possible to create subdirectories in Windows without having full admin rights. Because IFileOperation is critical to UAC bypass (Middle->High) scheme you may consider every "method" based on it now dead. IFileOperation however still autoelevated which means these changes are special restrictions added to fight UAC bypass.

Updated UACMe with working again 20, 21, 22, 23 methods will be published tomorrow. It turned I overestimated Microsoft changes.

Edit: UACMe updated and now able deliver again.
Last edited by EP_X0FF on Thu Jan 19, 2017 7:00 am, edited 1 time in total. Reason: edit
 #29942  by EP_X0FF
 Thu Feb 09, 2017 6:09 am
Microsoft changed CompMgmtLauncher.exe in RS2 build 15031 by dropping it autoelevation and requestedExecutionLevel to asInvoker thus effectively kill Comet and Enigma0x3 UAC bypasses.
 #29943  by EP_X0FF
 Thu Feb 09, 2017 7:00 am
Additionally cleanmgr.exe now sets file "Read" security permission for current user when it copy dismhost related files to %temp%. With this change it is now impossible to overwrite these files without elevation (IFileOperation), thus killing Enigma0x3 method main advantage -> when you was able to bypass UAC silently even with "AlwaysNotify" setting.
  • 1
  • 10
  • 11
  • 12
  • 13
  • 14