Researcher finds Windows flaw that permits fileless UAC bypass

Windows vulnerability would allow hackers to subvert PowerShell to bypass the UAC, leaving no trace of having accessed the system.

PowerShell
PowerShell

The User Account Control (UAC) system in Windows can be bypassed and enable an attacker to hijack registry processes, start PowerShell and execute commands without leaving any evidence on the hard drive.

The flaw was discovered by security researcher Matt Nelson. In a blog post, he said the bypass relies on Event Viewer (eventvwr.exe) which lets users look at event logs locally or remotely. He used this to hijack a registry process to start PowerShell and run commands on a target machine.

The exploit worked on any Windows machine that uses UAC.

“This means that code execution has been achieved in a high integrity process (bypassing UAC) without dropping a DLL or other file down to the file system. This significantly reduces the risk to the attacker because they aren't placing a traditional file on the file system that can be caught by AV/HIPS or forensically identified later,” said Nelson.

Not only do no files touch the system, but no processes are injected either.

“Most UAC bypasses require some sort of privileged file copy in order to get a malicious DLL into a secure location to setup a DLL hijack. Since it is possible to replace what executable ‘eventvwr.exe' starts to load the required Snap-in, it is possible to simply use an existing, trusted Microsoft binary to execute code in memory instead,” he said.

He added that the technique can be remediated or fixed by setting the UAC level to “Always Notify” or by removing the current user from the Local Administrators group.

According to research by CarbonBlack earlier this year, PowerShell was used as part of a cyber-attack in 38 percent of the incidents they analysed.

Fraser Kyne, regional SE director at Bromium, told SCMagazineUK.com that innovative attacks like this prove, once again, that the notion of running untrusted tasks of unknown provenance within the same OS as trusted business processes is a recipe for disaster.

“Smart IT security professionals are looking at ways to segment activities to reduce their risk. The trick is trying to do this seamlessly, without impacting business operations nor user productivity,” he said.

David Kennerley, director of threat research at Webroot, told SC that it is important to remember that this method relies on the attacker having access to the machine, so although a very clear attack vector, all the usual security mitigation techniques associated with keeping an organisation as safe as possible will still apply.  “From good user education to advanced threat intelligence, monitoring and alerting solutions will all prevent the fileless attack occurring from the start,” he said.

Luke Potter, security practice director at SureCloud, said this particular attack can appear worrying at first glance. “However, organisations which have followed best practice are likely already protected. In addition, Microsoft has previously commented stating that UAC isn't a security boundary, as such other effective controls can heavily mitigate the risk.”

Potter told SC: “In particular the attack requires that the user is an administrator of the local machine. Any organisation allowing users local administrator access should look to migrate away from this model as soon as possible,” he said.

“In immediate response, ensure a group policy has been deployed to all systems which ensures the UAC level is set to ‘Always Prompt', including administrator users.”