Less than a month after disclosing a Windows User Account Control bypass, researcher Matt Nelson today published another attack that circumvents the security feature and leaves no traces on the hard disk.
This time, the bypass relies on Event Viewer (eventvwr.exe), a native Windows feature used to view event logs locally or remotely. Nelson said he figured out a way to use eventvwr to hijack a registry process, start powershell and execute commands on Windows machines; he collaborated with fellow researcher Matt Graeber on a proof-of-concept exploit, which was tested against Windows 7 and 10. A report published today by Nelson said it would work against any version of the OS that implements UAC.
“This attack simply allows an admin user to execute code in a high-integrity context without requiring the user to ‘approve’ the administrative action via the pop-up. It essentially removes the restrictions an attacker has when running under the context of a local administrator,” Nelson told Threatpost. “This is a post-exploitation technique, so an attacker would need to already be on the system.”
Microsoft did not answer whether it had confirmed the issue, nor whether a patch was in the works. It sent Threatpost this statement: “Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. If we determine there is an issue, we will take the necessary steps to help protect customers.”
“This is not a vulnerability but a method of bypassing a defense-in-depth feature – and it requires administrative privileges to work. We recommend customers follow best practices and not run machines in administrator mode full-time,” a Microsoft spokesperson said.
Nelson told Threatpost that he has privately disclosed UAC bypasses to Microsoft in the past, but Microsoft has told him it does not consider UAC bypasses a security boundary worthy of a Patch Tuesday bulletin and fix.
“Historically, Microsoft has fixed some UAC bypasses but they understandably have to prioritize fixing legitimate remote code execution and elevation of privilege vulnerabilities,” Nelson said. “If UAC bypasses are considered to be something that code needs be hardened against, then I would expect there to be formal hardening guidelines for developers. Such formal guidance doesn’t exist to my knowledge however and understandably so since Microsoft does not consider UAC to be a security boundary worth protecting.”
Nelson said the impetus for this attack came via logs from a previously disclosed UAC bypass using DiskCleanup, which showed that there may be more than one way to quietly get code execution in this manner.
In today’s report, Nelson said he noticed eventvwr.exe executes registry queries against the HKEY_CURRENT_USER (HKCU) registry hive as a high-integrity process. He points out that a merger of the HKCU registry hive with the HKEY_LOCAL_MACHINE (HKLM) hive under the HKEY_CLASSES_ROOT (HKCR) hive went a long way toward facilitating this attack.
“Since this relationship exists between these 2 hives, any elevated process that interacts with both HKCU and HKCR in succession are particularly interesting since you are able to tamper with values in HKCU,” the report says.
Eventvwr.exe’s interaction with HKCU was the opening Nelson needed. He also observed that its default value in HKCR was to call and execute the Microsoft Management Console (mmc.exe).
“From the output, it appears that eventvwr.exe, as a high integrity process, queries both HKCU and HKCR registry hives to start mmc.exe,” the report says. “After mmc.exe starts, it opens eventvwr.msc, which is a Microsoft Saved Console file, causing the Event Viewer to be displayed. This makes sense due to the fact that the Microsoft Management Console loads Microsoft Saved Console Files.”
Nelson said he and Graeber next created a registry structure for the event viewer to query HKCU instead of HKCR, and swap out the default mmc.exe executable with powershell.exe.
“Due to the fact that I was able to hijack the process being started, it is possible to simply execute whatever malicious PowerShell script/command you wish. This means that code execution has been achieved in a high integrity process (bypassing UAC) without dropping a DLL or other file down to the file system,” Nelson said. “This significantly reduces the risk to the attacker because they aren’t placing a traditional file on the file system that can be caught by AV/HIPS or forensically identified later.”
Unlike other publicly disclosed UAC bypasses, this one does not require dropping a DLL or other file onto the disk, nor does it require process injection or a privileged file copy.
“Fileless attacks permit an attacker to operate without the risk of detection from security products that rely upon traditional, file-based analysis. It also reduces the attacker’s footprint on the system,” Nelson said. “I wouldn’t say this approach is new, it has just become easier due to built-in tools like PowerShell.”
Nelson said that Windows admins can protect their systems against this attack by setting the UAC level to Always Notify, or by removing the current user from the Local Administrators group.
This article was updated Aug. 17 with an updated statement from Microsoft.