Windows Vista: Non-privileged code can redirect shortcuts to intercept privilege elevation requests

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Windows Vista: Non-privileged code can redirect shortcuts to intercept privilege elevation requests
From: robpaveza@xxxxxxxxx
Date: 14 May 2007 05:56:12 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Tested on x86 and x64 editions of Windows Vista Ultimate, though this exploit 
should function correctly on all x86 and x64 editions of Windows Vista.

This exploit requires an attack vector such as a Trojan horse.  However, in 
light of the enormous success of such types of attacks in the past, and the 
fact that User Account Control (UAC) would be expected to protect the user from 
doing something particularly dangerous to the machine, this should be 
considered exploitable.

Non-privileged code can be used to replace shortcuts on the Start Menu and 
intercept elevation of privileges.  Because of the way the Start Menu is 
constructed, users can enumerate all of the shortcuts that appear on their 
menus because they have read access to the folders where the shortcuts reside.  
The Start Menu is composited of a common folder and the specific user's folder, 
preferring the user folder if duplicates exist.

Using COM and the .NET Framework, a stub EXE generator can be created that will 
check for the presence of privilege elevation before launching the original 
target process (in order to not alert the user to the fact that the target is 
infected).  The .NET CLR is installed by default on Windows Vista and so can be 
used as part of the attack vector.

The proof-of-concept enumerates the shortcuts on the user's menu and the common 
menu and creates or modified user-local shortcuts to exploitable executables 
via proxy EXEs.  It generates the proxy executables and then writes a text file 
to the Windows\System32 folder once a proxy executable has been run with 
elevation.  The proof-of-concept code is available at 
http://www.robpaveza.net/VistaUACExploit/PoC.zip and requires Visual Studio 
2005 to compile.

A whitepaper detailing the architecture of UAC and this exploit is also 
available at http://www.robpaveza.net/VistaUACExploit/UACExploitWhitepaper.pdf. 
 The whitepaper details the implementation of the Proof of Concept as well, and 
goes into significantly more detail than this (I'm sorry that this is short, 
but I've been working on writing this up for quite a while and just want it to 
be over).

Prev by Date: [security bulletin] HPSBGN02189 SSRT071297 rev.3 - ServiceGuard for Linux, Remote Unauthorized Access
Next by Date: iDefense Security Advisory 05.14.07: Samba SAMR Change Password Remote Command Injection Vulnerability
Previous by thread: [security bulletin] HPSBGN02189 SSRT071297 rev.3 - ServiceGuard for Linux, Remote Unauthorized Access
Next by thread: iDefense Security Advisory 05.14.07: Samba SAMR Change Password Remote Command Injection Vulnerability
Index(es):
- Date
- Thread