Twicexploit: Windows UAC Bypass

Posted on 3 mins read

Hello My Fellow Readers!
Today I’m back to write about UAC bypassing, that amazing scene that malware writers love.

What is UAC?


Since windows vista, Microsoft implemented the so called User Account Control (UAC); a mechanism which manages processes privileges. Basically, if you have a windows account which has administrator rights, and you run an application that doesn’t requiere administrator rights, UAC will drop the unnecessary privilges; This is done to avoid malwares having full control of the computer if they get code execution; to get admin rights UAC will prompt a question windows which will ask the user for permission, making malwares’ job harder.

How does it work?


The bypass is achieved using two different exploits or failures; In windows vista, UAC prompts were really annoying for the users so Microsoft decided that, starting in win7, applications(.EXEs) signed by Microsoft would be able to auto-elevate privileges. What does this means? when it comes to running them, they will not show any pop-up windows asking for credentials. Some of this apps and services are the ones that are located in the C:\Windows\System32 folder. The goal is to get code execution on any of these, but how? Since this apps will automatically elevate their privileges when they start, this means that we can’t use code injection techniques from an userland process, because we wouldn’t have enough privileges.

I will instead be using a method called ‘dll hijacking’; This is mainly replacing legit .dll files by our own .dll files but renamed with the original name, so programs will load it believing it is the original. Unfortunately, there are some issues to solve first; The autoelevated application we are going to hijack is stored at System32, a system critical/protected location, so it means we can’t write there if we don’t have privileges (which is exactly what we are trying to obtain with our exploit). Or not; Thanks to a design flaw, certain specific processes, running in userland, have some extra special privileges. This applies for explorer.exe, for example. Among other special privileges, explorer.exe is able to call the IFileOperation interface, which is part of COM, with admin-like privileges.

Therefore, the first step is really getting code execution in the explorer.exe process. You will need to inject code with any technique you are comfortable with (old reliable dll injection does the trick, by the way).
We’ll copy then our crafted dll to the system32 folder with the name ‘ntwdblib.dll’ which is a dll that the program ‘cliconfg.exe’ runs (this is one of those auto elevated programs I’ve just explained).
Here concludes stage one.
Then we’ll run cliconfg.exe which will first autoelevate to admin rights, and next it will load our dll’s entrypoint. That is stage2 or vulnerability 2. Once the Dll is loaded, we will have code running in the context of an elevated process! Success!

Credits


This exploit has been developed based on ideas posted on the web by several people; Thanks to the first person who exploited dll hijacking, and the one who found this auto-elevated processes and listed them.

Disclaimer


Since I originally wrote the article, more complex and efficient ways of bypassing UAC have appeared. Some of them are now able to bypass it in only one stage or in a faster way. Nevertheless, Twicexploit was one of the first open source implementations available. All the code (Code injector, stage1, stage2) is available in github: https://github.com/pedro-javierf/Twicexploit

comments powered by Disqus