![COM Hijacking
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwareClassesCLSI
D{0A29FF9E-7F9C-4437-8B11-F424491E3931}]
[HKEY_CURRENT_USERSoftwareClassesCLSI
D{0A29FF9E-7F9C-4437-8B11-
F424491E3931}Server]
@="C:UsersMattDesktopMessageBox64.dll
" 45](https://image.slidesharecdn.com/16by9notasecurityboundary-newmethodsforbypassinguseraccountcontrol-170924153629/85/Not-a-Security-Boundary-Bypassing-User-Account-Control-45-320.jpg)
Ad
More Related Content
What's hot (20)
Similar to Not a Security Boundary: Bypassing User Account Control (20)
Ad
Recently uploaded (20)
Ad
Not a Security Boundary: Bypassing User Account Control
- 1. Not a Security Boundary: New Methods for Bypassing User Account Control Matt Nelson (@enigma0x3) SpecterOps
- 2. @enigma0x3 Job: Red Teamer and Security Researcher at @SpecterOps Trainer: BlackHat 2016, ATRTO Blogger: enigma0x3.net Speaker: Various BSides, DerbyCon, ShmooCon, OPCDE Other: Multiple CVEs for Device Guard research, plenty of UAC bypasses & COM lover 2
- 3. tl;dr UAC/Integrity Level Overview Bypass Research Overview Bypass Evolution Mitigations Demos throughout! 3
- 4. UAC: What is it? UAC == User Account Control “UAC is meant to enable users to run with standard user rights, as opposed to administrative rights” If user == Local Administrator, two tokens are assigned to the logon session (split-token admin) If a user is not a local admin, UAC offers Over-the- Shoulder (OTS) elevation We will be focusing on the split-token admin scenario 4 https://technet.microsoft.com/en-us/library/2007.06.uac.aspx?f=255&MSPPError=-2147217396
- 5. Who Cares? Every organization has users in the Local Administrators group A common answer is “We have UAC set to Always Notify”, so we are safe Attackers encounter UAC all the time Roadblock between them and their objective Blue: Are you aware of all the users in your environment that are running as Local Administrators? 5
- 6. ““Attackers don’t care about security boundaries” - Jessica Payne at MSIgniteNZ (@jepayneMSFT) 6 https://twitter.com/jepayneMSFT/status/791702594309677056
- 7. Security Boundary? 7 https://blogs.technet.microsoft.com/markrussinovich/2007/02/12/psexec-user-account-control-and- security-boundaries/ “What’s a security boundary? It’s a wall through which code and data can’t pass without the authorization of a security policy. “ - Mark Russinovich
- 9. 1. UAC/Integrity Level Overview How these tie together 9
- 10. Integrity Levels An Integrity Level is assigned to a security access token Defined by SID; assists in Access Control for various OS components Mandatory access token policies TOKEN_MANDATORY_NO_WRITE_UP, TOKEN_MANDATORY_NEW_PROCESS_MIN The Security Reference Monitor compares the user/group SIDs in the security access token with the ACL on an object to determine access 10
- 12. Integrity Levels When researching UAC, we are mostly interested in 2 integrity levels: High Integrity (HI) security access tokens == Administrator Medium Integrity (MI) security access token == Normal user Split-Token admin processes are assigned a MI security access token Elevation via UAC == granted HI security access token 12
- 13. UAC Levels UAC level determines the notification level Technically 4 levels: Always Notify, Notify (Secure Desktop), Notify (No Secure Desktop), Never Notify Realistically, there are only 2 we care about Always Notify and the Default (Notify w/ Secure Desktop) 13
- 14. 14
- 15. 2. Bypass Research Overview A Quick Example 15
- 16. Purpose Silently obtain a HI security access token without raising suspicion to the user Often executed from an agent (Meterpreter, Empire, Beacon, etc.) You aren’t bypassing anything if you elevate while logged in via the GUI At that point, you can just click “Yes” on the UAC prompt... 16
- 17. Don’t be this guy.... 17
- 18. Elevation Objects Identify objects that silently elevate Scheduled Tasks, Auto-Elevate Windows Binaries, COM interfaces, etc. Take these objects and trace their various execution behavior Determine any locations these objects interact with that a MI process can manipulate Can be registry keys, files, folders, etc. 18
- 21. Abusing These Objects After identifying an object that reads from a location you can modify, determine how to abuse it Registry key additions Environment variable manipulation Winning a race condition After modifying, these elevating objects should read and pull your payload 21
- 23. 3. Bypass Evolution Then there was light 23
- 24. Disclaimer There are many public UAC bypasses that currently exist Most definitive source for all bypasses is @hfireF0x’s UACME project: https://github.com/hfiref0x/UACME This section only highlights the evolution of bypass tradecraft, not specific techniques. I will not cover every bypass nor every technique (we would be here for hours) 24
- 25. IFileOperation Leo Davidson released PoC code in 2009 One of the first UAC bypasses to publically be released IFileOperation::CopyItem() Has to be invoked from inside a Microsoft signed binary (can be spoofed) A privilege file copy opens up the possibility for a DLLHijack Fixed in Windows 10 RS2 (15007) 25
- 27. WUSA Original Finder: Vozzie Windows Update Standalone Installer Auto-Elevating Windows binary Pre-Windows 10, has an “/extract” flag Allows extraction of a cab from one location to another Cab a payload using makecab and perform a privileged file copy using: wusa <path> /extract <path> 27
- 29. Registry Modification (eventvwr.exe) Abuses Registry verb handlers Shellopencommand, isolatedCommand, etc These values determine the binary and parameters for a specified verb Many binaries can be used here More: https://enigma0x3.net/2016/08/15/fileless- uac-bypass-using-eventvwr-exe-and-registry-hijacking/ 29
- 34. Registry Modification (eventvwr.exe) ◈ Microsoft actually issued a fix in Windows 10 RS2 (15031) 34http://www.winhelponline.com/blog/microsoft-fixes-eventvwr-exe-uac-bypass-exploit-windows-10- creators-update/
- 35. Race Condition (Disk Cleanup) Found by @mattifestation/@enigma0x3 Windows 10 Scheduled Task with “Run with Highest Privileges” set Creates a folder in %localappdata%Temp<guid> Executes dismhost.exe in a HI context Dismhost.exe loads DLLs from the temp directory Fixed in Windows 10 RS2 (15031) 35
- 36. Race Condition (Disk Cleanup) 36
- 37. Race Condition (Disk Cleanup) 37
- 38. Race Condition (Disk Cleanup) 38
- 39. Race Condition (Disk Cleanup) 39 https://youtu.be/tryZ_45kQOw
- 40. Environment Variables (Disk Cleanup) Discovered by James Forshaw (@tiraniddo) Same Scheduled Task as the Race Condition Utilizes an environment variable in its action These environment variables can be modified without elevation HKEY_CURRENT_USEREnvironment 40
- 42. Environment Variables (Disk Cleanup) Hijacking the %windir% environment variable can lead to silent elevation when the task is ran reg add hkcuEnvironment /v windir /d "cmd /K reg delete hkcuEnvironment /v windir /f && REM “ More: https://tyranidslair.blogspot.com/2017/05/exploitin g-environment-variables-in.html 42
- 44. COM Hijacking Finders: @FuzzySec/@enigma0x3 Hijack InProcServer32, Server or LocalServer32 & invoke an auto-elevating binary that instantiates that COM object Our malicious binary loads 44
- 45. COM Hijacking Windows Registry Editor Version 5.00 [HKEY_CURRENT_USERSoftwareClassesCLSI D{0A29FF9E-7F9C-4437-8B11-F424491E3931}] [HKEY_CURRENT_USERSoftwareClassesCLSI D{0A29FF9E-7F9C-4437-8B11- F424491E3931}Server] @="C:UsersMattDesktopMessageBox64.dll " 45
- 47. Token Manipulation Discovered by James Forshaw (@tiraniddo): https://tyranidslair.blogspot.com/2017/05/reading- your-way-around-uac-part-1.html Weaponized by Ruben Boonen (@fuzzysec) Forget auto-elevating objects… Uses DuplicateTokenEx() to duplicate a HI token & calls CreateProcessWithLogonW() with that new token Results in an Always Notify bypass without any OS modifications :-) 47
- 49. Token Manipulation 49 https://github.com/FuzzySecurity/PowerShell- Suite/blob/master/UAC-TokenMagic.ps1 by @fuzzysec Took @tiraniddo’s post and weaponized it Uses Add-Type to interface with the Win32 API Compiles and drops files to disk
- 50. Token Manipulation 50 Re-implemented via PSReflect https://github.com/enigma0x3/Misc-PowerShell- Stuff/blob/master/Invoke-TokenDuplication.ps1 Enumerates process list and checks for a process with a HI security access token When one is found, uses that ProcID to elevate If one is not, starts one via the RunAs verb
- 52. Local Admin Accounts ◈ Every environment I have ever operated in had a percentage of users that were local administrators on their own host... 52
- 53. Stop Running as a Local Administrator Why do users need to be local administrators? Stop it. Seriously. Practice real least privilege pls. 53
- 54. CREDITS Special Thanks: James Forshaw (@tiraniddo) Ruben Boonen (@FuzzySec) Matt Graeber (@mattifestation) @hfiref0x & many more for their great research! 54
- 56. Resources https://blogs.technet.microsoft.com/markrussinovich/2007/ 02/12/psexec-user-account-control-and-security- boundaries/ https://github.com/FuzzySecurity/DefCon25 https://github.com/hfiref0x/UACME https://github.com/enigma0x3/Misc-PowerShell- Stuff/blob/master/Invoke-TokenDuplication.ps1 56
Editor's Notes
- #4: Note that we are focusing on split-token admins (AAM) mode OTW exploitation is likely possible Split-token == user is a LA, UAC gives user a normal token and then elevation occurs that grants the process an administrative token
- #5: Note that we are focusing on split-token admins (AAM) mode OTW exploitation is likely possible Split-token == user is a LA, UAC gives user a normal token and then elevation occurs that grants the process an administrative token
- #6: Blue: Do you know how many users are Local Admins on their own host?
- #8: Lee & Jeffery Derby 2016 keynote: “What do you have and what do you get?” One user should not be able to read or modify the data of another user, nor be able to cause other users to execute code, without the permission of the other user.
- #9: Mark Russonivich Windows Vista User Account Control Internals
- #11: TOKEN_MANDATORY_NO_WRITE_UP: The default policy that is assigned to all access tokens. The policy restricts write access by this subject to any object at a higher integrity level.
- #25: Won’t outline all IFileOperation Dll Hijack bypasses, just cover the IFileOperation technique
- #26: Requires injection into explorer.exe to call the method
- #48: OpenProcess, OpenProcessToken, DuplicateTokenEx, AllocateAndInitializeSid, ntSetInformationToken (lower the token IL level), ntFilterToken (creates a new restricted token), DuplicateTokenEx, ImpersonateLoggedOnUser and then CreateProcesswithLogonW