Windows 7 UAC Exploit
"Sysprep DLL search order hijacking" - 60.000 Google Search results and hackers can't hear the end of it!
This is - by far - the best-known UAC exploit in the world. It was by the time that Windows 7 introduced different UAC levels and in this instance a very serious logic issue that goes beyond this particular exploit. Windows Vista kept nagging with UAC dialogs so users deactivated it completely. Then Microsoft came up with a way to keep security up to a certain level whilst sparing users continuous popups. Both at the same time and the way it was implemented did just not work out.
How it works
By any means, if you know this exploit, you may very well skip this section!
Because putting research effort into the UAC inevitably leads you to learn about this exploit. Hell, I was searching for additional information and kept scrolling until there was no "sysprep" on my screen anymore! And what's even more surprising: Microsoft did not fix this for Windows 7! And this makes it particularly interesting. I wouldn't have invested time into implementation and publication otherwise. Note, that Windows 8 and above, indeed, are patched.
DLL search order: When a process loads a DLL, there is a specific order of directories to look for it. First, the application directory is searched. Then, the current directory and then the system directory, which is usually C:\Windows\system32. The rest of the list is currently not of interest.
auto-elevate: The UAC now has two distinct modes (the third one is just optimized for slow graphics cards). "Always notify", as the only choice Windows Vista users had, pops up a consent dialog every time, elevated privileges are requested. Due to negative user feedback (what a surprise), we now have "Default - Don't notify me when I make changes to Windows" in addition. This basically means, that some programs, such as the Task Manager - and sysprep! - elevate without user's consent. A binary with a manifest that specifies "autoelevate" and is both signed by Microsoft and stored in a secure location (like system32) can now automatically elevate, unless UAC is set to "Always notify".
Privileged file copy: You cannot directly write into system32, Program Files, etc. But did you notice, that Windows Explorer can - and without a consent prompt? The IFileOperation COM object is used instead of WinAPI's CopyFile. Since Explorer can and we don't, let's inject a DLL into explorer.exe. We can inject a DLL from a medium integrity process into another one, unless it is elevated. So, we just force the running process of explorer.exe to load our first DLL. This DLL will run in a thread of Explorer and using IFileOperation, we indeed can write into system32. However, we cannot overwrite existing DLL files, since they are owned by Trusted Installer. Something which by the way some users try to delete off their systems, for reasons I cannot comprehend.
Now combine those three facts
So, Microsoft grants themselves the license to
kill elevate! Some system executables skip the UAC dialog and this is what makes them vulnerable. Any high integrity process that you can
tamper with from a medium integrity process in order to ultimately load your DLL file will execute your arbitrary code in its own context - and in high integrity.
Now, luckily (or unfortunately), sysprep is located in a subdirectory of system32 - C:\Windows\System32\sysprep\sysprep.exe. So, placing a DLL file next to the executable that usually loads a DLL with this name from the system32 directory will cause the executable to directly load our DLL instead and instantly execute it. So, after excluding Known DLL's, which are always loaded from system32, we are left with a couple of options. Let's pick cryptbase.dll.
Now, let's sing:
- Inject DLL #1 into explorer.exe
- DLL #1 will use IFileOperation to copy DLL #2 to C:\Windows\System32\sysprep\cryptbase.dll
- Execute sysprep.exe
- sysprep.exe now runs with high integrity and loads DLL #2
- We do our job, whatever that is, delete leftover files to keep the system stable and use ExitProcess to terminate sysprep.exe
This exploit as well as most other local privilege escalation exploits will not work with the UAC level at "Always notify". This is because auto elevation only works on the default UAC level, which is what it was designed for. However, I wouldn't dare to suggest increasing the UAC level, as you are then left with a security concept that is just painful. Remember Vista's UAC shit storm? Happy new year 2007, then...
Local Administrator Group
The user must be in the local administrator group. Otherwise, any privileged operation will require a standard user to enter the administrator user's credentials. Compared to the UAC at "Always notify", this means the user cannot elevate anything unless they enter the administrator user's password. It is widespread practice in company networks to provide standard user accounts to most employees which not only prevent LPE exploits from auto elevating, but furthermore prevent any privileged operation whatsoever.
"Not a security boundary"
Not this again... But it's kind of true. If you are experienced with security, you will not just execute a file that you don't trust in the first place. So, stick with keeping malware away rather than hoping for security mechanisms to prevent damage. Also notably, malware can do a lot event with user rights. Don't underestimate this! Anything that you can accomplish yourself from the Windows desktop can be done by malware as well. Now look into your webcam and agree ;)
Impact and risk
This and similar exploits may be hard to find, but they are easy to comprehend. I already explained this to people who had little knowledge of computing and they understood it perfectly. Also, describing trivial exploits like this one to someone capable of implementing them requires just a couple of words. "sysprep auto-elevate DLL search order" is all a hacker needs to hear and without further ado will be able to implement it. This applies to many other exploits as well - finding one is hard and gets harder, implementation happens overnight.
UAC bypass exploits are basically what ransomware is made of. Ransomware that encrypts your entire hard drive to press money from you is bad enough. However, adversaries who want to encrypt the files need to get rid of the shadow copies or else files can be easily restored. Deleting them requires elevated privileges and that's why UAC exploits are commonly used by this kind of malware. And currently it looks like people discover one UAC exploit after the other.
This particular exploit was fixed on Windows 8 and Windows 10 by simply hard-coding absolute paths to these DLL's in the executable's embedded manifest, which is effective. But it's only effective for one specific vulnerability and hell, it's not fixed in Windows 7, yet. It was spotted around the RC and I have the feeling it is there to stay.
This means, the UAC in Windows 7 is basically useless. And even on current versions of Windows, people still find creative ways to tamper with privileged processes. It's an ongoing cat-and-mouse game. But in the end, the operating system hosts both high and medium integrity applications in literally one and the same place. Do you think it's trivial to keep these separated? It's not. There is a point of intersection and this is point is the exact definition of a vulnerability for local privilege escalation.
Implementation - source code and binaries
Since this exploit is very well known and everyone seems to like it, I thought why not implement a variant myself. Neither did I come up with the concept nor do I have to re-invent it. Implementation took a couple of hours tops. And don't call me gray for publishing it based on the previous section. This exploit can be found literally everywhere on the internet. Any black hat can and will use it - and most definitely knows that it's there. No one except Microsoft can fix it. And they don't seem to care, at least not for Windows 7.
- Windows7UacExploit.exe: When executed without command line arguments, escalates privileges and spawns an elevated cmd.
- Command line arguments: Optional. The first one is the executable that will be run elevated. Any following arguments are forwarded to this executable.
- Deployable: With these 3 files, any payload executable can be auto elevated. No .NET or Visual C++ Redistributable dependencies are required. Everything is written in C++ and compiled with /MT.
- As-is: Windows7UacExploit.exe will do exactly this and nothing else - this is not malware on its own. The binaries precisely reflect the source code that is provided as well.
- Works: Windows 7 is not patched, while this exploit is well known since years.
BSD License Agreement
Copyright © , bytecode77
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
CC0 1.0 Universal
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others.
For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights.
Copyright and Related Rights. A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related
Rights include, but are not limited to, the following:
- the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work;
- moral rights retained by the original author(s) and/or performer(s);
- publicity and privacy rights pertaining to a person's image or likeness depicted in a Work;
- rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below;
- rights protecting the extraction, dissemination, use and reuse of data in a Work;
- database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); and
- other similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof.
- Waiver. To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as future claims and causes of action), in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose.
- Public License Fallback. Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose.
Limitations and Disclaimers.
- No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document.
- Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.
- Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work.
- Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work.
For more information, please see https://creativecommons.org/publicdomain/zero/1.0/