Researchers discover Windows issue that allows UAC bypass

An unprivileged user has write access to the temporary directory.
An unprivileged user has write access to the temporary directory.

A pair of security researchers discovered a flaw that affects the SilentCleanup process in Windows 10 and allows attackers to bypass the User Account Control (UAC) security feature.

Matt Graeber and Matt Nelson, security researchers at Veris Group, found that unprivileged users can launch SilentCleanup, a scheduled Windows 10 task. The scheduled task auto-elevates and runs with elevated privileges, as a result of an “execute with highest privileges” setting in the task configuration.

The unprivileged user has write access to the temporary directory, allowing an attacker to “hijack a DLL loaded by dismhost.exe and obtain code execution in a high integrity process,” Nelson wrote in a blog post detailing the discovery. “This is commonly known as a ‘BypassUAC' attack.”

“Implementing this UAC bypass is relatively trivial,” Nelson wrote in an email to SCMagazine.com. “We would certainly expect the bypass to be adopted by both real-world attackers as well as pen-testers and red teamers, but hopefully the exposure pushes people to add mitigations for this technique, like simply removing the scheduled task.”

The flaw was reported to the Microsoft Security Response Center last month. When contacted by SCMagazine.com, a Microsoft spokesperson responded by stating that the UAC issue “is not a vulnerability but a method of bypassing a defense-in-depth feature, and it requires administrative privileges to work. We recommend customers follow best practices and not run machines in administrator mode full-time.”

Microsoft's security vulnerability definition states that “by-design weaknesses may sometimes occur in a product, but these aren't security vulnerabilities.”

“While not a vulnerability, it does allow an attacker an alternate method to move to high integrity that differs from previous bypasses and introduces one more location or chokepoint that must be monitored to observe attacker behavior,” Nelson wrote in the blog post.

He wrote in an email to SCMagazine.com, “A UAC bypass after all already requires that the user be an administrator, so we certainly understand that this might not be fixed with any expedience.”

Microsoft has been repeatedly plagued by UAC challenges, most notably in the case of a 2014 issue that leveraged a Microsoft PowerPoint exploit. The flaw was used by the “Sandworm Team,” a Russian APT group in an espionage campaign that targeted the North Atlantic Treaty Organization (NATO), a university in the U.S., a Polish energy firm, European telecommunications firms, a Western European government agency, and other organizations.
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS