Breaking off UAC
I don’t know how many times the notorious topic of monitoring user actions has been raised (which is known as UAC since Windows Vista): whether it is needed, how effective ... But we will look at this question again, now from a purely applied, hacker point of view. Consider the pros and cons of the system, as well as the most important thing - how it can (and can you even be) be circumvented.
So, what is UAC in terms of security? The developers of Windows (apparently taking a lot of concern with dull information from bugtracks, which are regularly updated with new and new vulnerabilities in the most common operating system in the world) decided that if all or almost all users sit under administrator rights, then you need to make some software component seek permission from users.
Let's leave aside the holivar on the topic “Does a simple user need administrator rights?”, Because this extremely philosophical question is controversial: on the one hand, the rights of the admin to the simple user are not really needed, and on the other, they are necessary for everyday programs.
So, UAC is designed to provide users with the opportunity to work without recourse to administrative rights. With administrative rights, the user can view and change any part of the operating system, including the code and data of other users and even Windows itself. Without administrative rights, users cannot accidentally change system settings, malware cannot change system security settings or disable avver, and users cannot compromise the security of other users' important data on public computers. Working with ordinary user rights in this way helps reduce the number of urgent help desk calls in corporate environments, mitigate damage from malware, contributes to a clearer performance of home computers and protects sensitive data on publicly accessible wheelbarrows.
UAC divides all executable tasks into two groups - those that can be performed by regular users and those that are performed only by administrators. UAC imperceptibly for the administrator puts the system into the unprivileged user mode, and when administrator rights are required, a system dialog appears through which you can temporarily upgrade your rights.
And after all, it must be admitted that the introduction of UAC is quite bad for beginners and not-so-coders who earn their living with Malvari development, so that on special boards customers now first of all ask about the possibility of code to work in Vista / 7 and bypass UAC. They paid and still pay quite adequate money for it.
The vast majority of installers require administrative rights, so the image loader, which initiates the launch of an executable file, contains installer detection code to detect outdated versions. Some of the algorithms used by the heuristic loader are fairly simple: it looks for the words “setup”, “install” or “update” in the image file name or internal version information. More complex algorithms include viewing bytes in an executable file, which are usually used by third-party developers in utility programs - installation shells.
To determine whether the target executable needs administrative privileges, the image loader also calls the application compatibility library (appcompat). The library accesses the application compatibility database to determine whether the RequireAdministrator or RunAsInvoker compatibility flags are associated with the executable file.
The most common way to request administrative rights for an executable file is to add the requestedElevationLevel tag to its application manifest file. Manifests are XML files that contain additional information about the image. They were introduced in Windows XP as a way to determine dependencies for parallel DLLs and Microsoft .NET Framework assemblies. The presence of the trustInfo element in the manifest (it is shown below in the Firewallsettings.exe dump fragment) means that the executable file was written for Windows Vista and contains the requestedElevationLevel element. The level attribute of this element can have one of three values: asInvoker, highestAvailable, and requireAdministrator.
Examples of applications for which the value is highestAvailable are Regedit.exe, Mmc.exe, and Eventvwr.exe. Finally, the value of requireAdministrator always initiates a raise request and is used by all executable files that cannot perform their actions without administrative rights.
In applications with special features, the uiAccess attribute is set to "true" to control the input window in processes with elevated rights. In addition, they must be signed and in one of several secure placements, including% SystemRoot% and% ProgramFiles%, to provide these capabilities.
The values specified by the executable file can be easily determined by viewing its manifest using the Sigcheck utility from Sysinternals. For example: sigcheck –m. When you run an image that requests administrative rights, the application information service (also known as AIS, is located in% SystemRoot% \ System32 \ Appinfo.dll), running in the Service Host process (% SystemRoot% \ System32 \ Svchost.exe), is instructed run the program Consent.exe (% SystemRoot% \ System32 \ Consent.exe). Consent creates a screenshot, applies a fade effect to it, switches to a desktop accessible only by the system account, sets a darkened snapshot as a background, and opens an elevation dialog box containing information about the executable file. Displaying on a separate desktop prevents this dialog box from being modified by any malware running under a user account.
')
There is such WinAPI - RtlQueryRegistryValues (msdn.microsoft.com), it is used to request multiple values from the registry with one of its own calls, which is done using the special table RTL_QUERY_REGISTRY_TABLE, which is passed as the __in__out parameter.
The most interesting (and shameful for Microsoft developers) in this API is that there is a specific registry key that can be changed using limited user rights: HKCU \ EUDC \ [Language] \ SystemDefaultEUDCFont. If you change the type of this key to REG_BINARY, then calling RtlQueryRegistryValues will result in a buffer overflow.
When the Win32k.sys! NtGdiEnableEudc kernel API function queries the HKCU \ EUDC \ [Language] \ SystemDefaultEUDCFont registry key, it honestly assumes that the registry key is of type REG_SZ, so the UNICODE_STRING structure is passed to the buffer, with the first field being ULONG type (where is the string length). But since we can change the type of this parameter to REG_BINARY, this puts a deep deadlock on the system and it incorrectly interprets the length of the transferred buffer, which leads to a stack overflow.
Good luck in your endeavors and may the force be with you!
Hacker Magazine, June (06) 149
Alexander Eckert
Subscribe to "Hacker"
So, what is UAC in terms of security? The developers of Windows (apparently taking a lot of concern with dull information from bugtracks, which are regularly updated with new and new vulnerabilities in the most common operating system in the world) decided that if all or almost all users sit under administrator rights, then you need to make some software component seek permission from users.
Let's leave aside the holivar on the topic “Does a simple user need administrator rights?”, Because this extremely philosophical question is controversial: on the one hand, the rights of the admin to the simple user are not really needed, and on the other, they are necessary for everyday programs.
So, UAC is designed to provide users with the opportunity to work without recourse to administrative rights. With administrative rights, the user can view and change any part of the operating system, including the code and data of other users and even Windows itself. Without administrative rights, users cannot accidentally change system settings, malware cannot change system security settings or disable avver, and users cannot compromise the security of other users' important data on public computers. Working with ordinary user rights in this way helps reduce the number of urgent help desk calls in corporate environments, mitigate damage from malware, contributes to a clearer performance of home computers and protects sensitive data on publicly accessible wheelbarrows.
UAC divides all executable tasks into two groups - those that can be performed by regular users and those that are performed only by administrators. UAC imperceptibly for the administrator puts the system into the unprivileged user mode, and when administrator rights are required, a system dialog appears through which you can temporarily upgrade your rights.
And after all, it must be admitted that the introduction of UAC is quite bad for beginners and not-so-coders who earn their living with Malvari development, so that on special boards customers now first of all ask about the possibility of code to work in Vista / 7 and bypass UAC. They paid and still pay quite adequate money for it.
Some educational program, or how to legally get admin rights
There are many ways to determine the need of a system and applications for administrative rights. One of them is the context menu command and the “Run as administrator” shortcut in the explorer user interface. These elements contain a colored shield icon that must be added to all buttons or menu items, the selection of which leads to elevation of rights. When selecting the “Run as administrator” item, the explorer calls the ShellExecute API function with the “runas” command.The vast majority of installers require administrative rights, so the image loader, which initiates the launch of an executable file, contains installer detection code to detect outdated versions. Some of the algorithms used by the heuristic loader are fairly simple: it looks for the words “setup”, “install” or “update” in the image file name or internal version information. More complex algorithms include viewing bytes in an executable file, which are usually used by third-party developers in utility programs - installation shells.
To determine whether the target executable needs administrative privileges, the image loader also calls the application compatibility library (appcompat). The library accesses the application compatibility database to determine whether the RequireAdministrator or RunAsInvoker compatibility flags are associated with the executable file.
The most common way to request administrative rights for an executable file is to add the requestedElevationLevel tag to its application manifest file. Manifests are XML files that contain additional information about the image. They were introduced in Windows XP as a way to determine dependencies for parallel DLLs and Microsoft .NET Framework assemblies. The presence of the trustInfo element in the manifest (it is shown below in the Firewallsettings.exe dump fragment) means that the executable file was written for Windows Vista and contains the requestedElevationLevel element. The level attribute of this element can have one of three values: asInvoker, highestAvailable, and requireAdministrator.
<trustInfo xmlns="urn:schema-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel Level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> Examples of applications for which the value is highestAvailable are Regedit.exe, Mmc.exe, and Eventvwr.exe. Finally, the value of requireAdministrator always initiates a raise request and is used by all executable files that cannot perform their actions without administrative rights.
In applications with special features, the uiAccess attribute is set to "true" to control the input window in processes with elevated rights. In addition, they must be signed and in one of several secure placements, including% SystemRoot% and% ProgramFiles%, to provide these capabilities.
The values specified by the executable file can be easily determined by viewing its manifest using the Sigcheck utility from Sysinternals. For example: sigcheck –m. When you run an image that requests administrative rights, the application information service (also known as AIS, is located in% SystemRoot% \ System32 \ Appinfo.dll), running in the Service Host process (% SystemRoot% \ System32 \ Svchost.exe), is instructed run the program Consent.exe (% SystemRoot% \ System32 \ Consent.exe). Consent creates a screenshot, applies a fade effect to it, switches to a desktop accessible only by the system account, sets a darkened snapshot as a background, and opens an elevation dialog box containing information about the executable file. Displaying on a separate desktop prevents this dialog box from being modified by any malware running under a user account.
')
Typical reaction of UAC to incomprehensible actions
Buffer overflow
It would seem, what is the relationship between buffer overflow and UAC? It turns out that bugs hidden in Windows allow you to bypass UAC restrictions and enhance your rights. Today I will show you with a concrete example of how using trivial buffer overflow you can bypass UAC and gain administrative rights.There is such WinAPI - RtlQueryRegistryValues (msdn.microsoft.com), it is used to request multiple values from the registry with one of its own calls, which is done using the special table RTL_QUERY_REGISTRY_TABLE, which is passed as the __in__out parameter.
The most interesting (and shameful for Microsoft developers) in this API is that there is a specific registry key that can be changed using limited user rights: HKCU \ EUDC \ [Language] \ SystemDefaultEUDCFont. If you change the type of this key to REG_BINARY, then calling RtlQueryRegistryValues will result in a buffer overflow.
When the Win32k.sys! NtGdiEnableEudc kernel API function queries the HKCU \ EUDC \ [Language] \ SystemDefaultEUDCFont registry key, it honestly assumes that the registry key is of type REG_SZ, so the UNICODE_STRING structure is passed to the buffer, with the first field being ULONG type (where is the string length). But since we can change the type of this parameter to REG_BINARY, this puts a deep deadlock on the system and it incorrectly interprets the length of the transferred buffer, which leads to a stack overflow.
UINT codepage = GetACP(); TCHAR tmpstr[256]; _stprintf_s(tmpstr, TEXT("EUDC\\%d"), codepage); HKEY hKey; RegCreateKeyEx(HKEY_CURRENT_USER, tmpstr, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE | DELETE, NULL, &hKey, NULL); RegDeleteValue(hKey, TEXT("SystemDefaultEUDCFont")); RegSetValueEx(hKey, TEXT("SystemDefaultEUDCFont"), 0, REG_BINARY, RegBuf, ExpSize); __try { EnableEUDC(TRUE); } __except(1) { } RegDeleteValue(hKey, TEXT("SystemDefaultEUDCFont")); RegCloseKey(hKey); Exploit key point
Disable UAC through a snap
Conclusion
You can bypass the UAC. Not to say that it is easy, because the developers of Windows VIsta / W7 did their best, we must give them their due. But still loopholes remain. You can find one or two rabbit holes that are able to negate the efforts of the Windows team. Success in this case comes to those who can work with debuggers and debuggers such as IDA Pro or WinDBG.Good luck in your endeavors and may the force be with you!
Hacker Magazine, June (06) 149
Alexander Eckert
Subscribe to "Hacker"
Source: https://habr.com/ru/post/122272/
All Articles