Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

Mitigate some exploits for Windows’® UAC

Purpose

Mitigate some exploits for the auto-elevation (mis)feature of the braindead security theatre abomination known as UAC.

Vulnerabilities

The vulnerabilities can be exploited (without user interaction) in standard installations of Windows 7 and newer versions of Windows NT since Windows is still setup without strict privilege separation, i.e. without separate accounts for (unprivileged) user(s) and (privileged) administrator(s)!

Note: only vulnerabilities and exploits for which a mitigation exists are presented here!

Vulnerabilities of CompMgmtLauncher.exe

The superfluous application Computer Management Snapin Launcher CompMgmtLauncher.exe is used to start the Computer Management snap-in CompMgmt.msc of the Microsoft Management Console; it is one of the about 70 applications shipped with Windows 7 and newer versions of Windows NT which have auto-elevation enabled.

Note: it is superfluous since the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\CompMgmt.msc" launches Computer Management directly, and MMC.exe has auto-elevation enabled too.

CompMgmtLauncher.exe has a severe design bug: instead of launching the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\CompMgmt.msc" it launches the shortcut %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk alias %ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk.

An unprivileged user can set the environment variable ALLUSERSPROFILE to an arbitrary directory, create the subdirectory Microsoft\Windows\Start Menu\Programs\Administrative Tools\ there and then create the shortcut Computer Management.lnk with an arbitrary command line in the subdirectory.
In standard installations of Windows 7 and newer versions of Windows NT CompMgmtLauncher.exe launches this command line without UAC prompt with administrative privileges.

Note: since the command line %SystemRoot%\System32\CompMgmt.msc of the shortcut %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk specifies no executable file CompMgmtLauncher.exe has the (following) vulnerability of EventVwr.exe too.

Vulnerability of EventVwr.exe

The superfluous application Event Viewer Snapin Launcher EventVwr.exe is used to start the Event Viewer snap-in EventVwr.msc of the MMC.exe; it is one of the about 70 applications shipped with Windows 7 and newer versions of Windows NT which have auto-elevation enabled.

Note: it is superfluous since the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\EventVwr.msc" launches Event Viewer directly, and MMC.exe has auto-elevation enabled too.

Note: EventVwr.exe exists for backward compatibility with Windows NT4 and earlier versions of Windows NT only; in Windows 2000 the standalone Event Viewer application was replaced by the snap-in EventVwr.msc.

EventVwr.exe has a severe design bug: instead of launching the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\EventVwr.msc" it calls the Win32 function ShellExecute() to launch EventVwr.msc; ShellExecute() reads the (unnamed) default values of the Registry entries [HKEY_CLASSES_ROOT\.msc] and [HKEY_CLASSES_ROOT\mscfile\Shell\Open\Command] to evaluate the command line to launch EventVwr.msc.

The Registry key [HKEY_CLASSES_ROOT] is the overlay of the Registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Classes] with the Registry key [HKEY_CURRENT_USER\Software\Classes], i.e. the latter takes precedence.

An unprivileged user can create the Registry key [HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\Command] and write an arbitrary command line to its (unnamed) default value, or create the Registry key [HKEY_CURRENT_USER\Software\Classes\.msc] and write a new Programmatic Identifier (foobar for example) to its (unnamed) default value, then create the Registry key [HKEY_CURRENT_USER\Software\Classes\foobar\Shell\Open\Command] and write an arbitrary command line to its (unnamed) default value.

In standard installations of Windows 7 and newer versions of Windows NT EventVwr.exe launches this command line without UAC prompt with administrative privileges.

Vulnerability of MMC.exe

Multiple snap-ins of the Microsoft Management Console are implemented using the .NET Framework.

When .NET Framework is loaded, its Common Language Runtime execution engine evaluates the environment variables COR_ENABLE_PROFILING and COR_PROFILER, since .NET Framework 4 additionally COR_PROFILER_PATH, and loads the COM object specified by them as Code Profiler:

When both environment variable checks pass, the CLR creates an instance of the profiler in a similar manner to the COM CoCreateInstance function. The profiler is not loaded through a direct call to CoCreateInstance. Therefore, a call to CoInitialize, which requires setting the threading model, is avoided.
The CLR execution engine but fails to implement the security checks added to the Win32 function CoCreateInstance in Windows Vista:
The Component Object Model (COM) leverages the registry to maintain information about all of the COM objects installed on a computer. This registry hive (HKEY_CLASSES_ROOT) is a virtual registry hive, which allows for both per-user and per-machine object registration. Per-user COM objects configurations are stored in HKEY_CURRENT_USER\Software\Classes, while per-machine configurations are stored in HKEY_LOCAL_MACHINE\Software\Classes. Typically, per-user configurations take precedence.

Beginning with Windows Vista® and Windows Server® 2008, if the integrity level of a process is higher than Medium, the COM runtime ignores per-user COM configuration and accesses only per-machine COM configuration. This action reduces the surface area for elevation of privilege attacks, preventing a process with standard user privileges from configuring a COM object with arbitrary code and having this code called from an elevated process.

An unprivileged user can set the environment variables and create the Registry keys and entries below [HKEY_CURRENT_USER\Software\Classes\CLSID] to register an arbitrary DLL as COM object.

In standard installations of Windows 7 and newer versions of Windows NT MMC.exe loads this DLL without UAC prompt with administrative privileges.

Vulnerability of shortcuts in the start menu

The shortcuts for all snap-ins of the Microsoft Management Console in the directories %ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\ and %ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ show the same vulnerability as EventVwr.exe: Windows Explorer processes their command lines %SystemRoot%\System32\‹filename›.msc just like ShellExecute() does.

Blended vulnerabilities

WUSA.exe, the Windows Update Standalone Installer, is yet another of the about 70 applications shipped with Windows 7 and newer versions of Windows NT which have auto-elevation enabled.
Its /Extract:‹destination› command-line switch allows to extract the contents of arbitrary cabinet archives to arbitrary destination directories. Since it runs elevated this can be (ab)used to plant DLLs loaded and executed by other applications which have auto-elevation enabled to gain administrative privileges:
MMC.exe

The Event Viewer snap-in EventVwr.msc of the Microsoft Management Console MMC.exe loads and executes ELS.dll, which in turn loads and executes ELSExt.dll; since ELSExt.dll is not shipped with Windows, an arbitrary DLL with this filename can be planted in the system directory %SystemRoot%\System32\, from where it is then loaded and executed with administrative privileges.

CliConfg.exe

The SQL Client Configuration Utility CliConfg.exe has auto-elevation enabled too.
It loads and executes NTWDBLib.dll; since NTWDBLib.dll is not shipped with Windows, an arbitrary DLL with this filename can be planted in the system directory %SystemRoot%\System32\, from where it is then loaded and executed with administrative privileges.

SysPrep.exe

The System Preparation Utility SysPrep.exe has auto-elevation enabled too.
In Windows 7 and Windows Server 2008 R2, it loads and executes CryptBase.dll, CryptSP.dll, DWMAPI.dll, RPCRtRemote.dll and UXTheme.dll; since these DLLs don’t exist in its application directory %SystemRoot%\System32\SysPrep\, arbitrary DLLs with these filenames can be planted there, from where they are then loaded and executed with administrative privileges.

SetupSQM.exe

The Setup SQM Tool SetupSQM.exe has auto-elevation enabled too.
It loads and executes WDSCore.dll; since WDSCore.dll does not exist in its application directory %SystemRoot%\System32\OoBE\, an arbitrary DLL with this filename can be planted there, from where it is then loaded and executed with administrative privileges.

MCX2Prov.exe

The MCX2 Provisioning Library MCX2Prov.exe has auto-elevation enabled too.
In Windows 7 it loads and executes CryptBase.dll; since CryptBase.dll does not exist in its application directory %SystemRoot%\eHome\, an arbitrary DLL with this filename can be planted there, from where it is then loaded and executed with administrative privileges.

PkgMgr.exe

The Windows Package Manager PkgMgr.exe has auto-elevation enabled too.
It calls DISMHost.exe to perform some of its tasks, which loads and executes PEProvider.dll; since PEProvider.dll is not shipped with Windows, an arbitrary DLL with this filename can be planted in its application directory %SystemRoot%\System32\DISM\, from where it is then loaded and executed with administrative privileges.

MSHTA.exe, CScript.exe and WScript.exe

In Windows 7 and Windows Server 2008 R2, the Microsoft HTML Application Host MSHTA.exe, the Console Based Script Host CScript.exe and the Windows Based Script Host WScript.exe are shipped without embedded application manifest.
Windows’ module loader therefore evaluates external application manifests MSHTA.exe.manifest, CScript.exe.manifest and WScript.exe.manifest planted in the system directory %SystemRoot%\System32\. These application manifests can enable auto-elevation, resulting in execution of every HTML Application *.hta, every JScript *.js or *.jse, every VBScript *.vbs or *.vbe, as well as every other script *.wsf or *.wsh for the Windows Script Host with administrative privileges.

Mitigations

With the mitigations presented here an unprivileged user can still execute CompMgmtLauncher.exe and EventVwr.exe, but they run with the unprivileged user’s credentials, not elevated; when they launch %SystemRoot%\System32\CompMgmt.msc or %SystemRoot%\System32\EventVwr.msc, elevation is handled during start of %SystemRoot%\System32\MMC.exe.

Note: the mitigations are designed for and have been tested on Windows 7; their adaption to newer versions of Windows NT is left as an exercise to the reader.

Mitigation against exploitation of CompMgmtLauncher.exe

Replace the command line of the Computer Management context menu entry of the Computer icon which launches the superfluous CompMgmtLauncher.exe and additionally inhibit its elevation:
; Copyright © 2016-2017, Stefan Kanthak <‍skanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKCR,"CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\Shell\Manage\Command",,32,"%16421%\MMC.exe %16421%\CompMgmt.msc"

HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\CompMgmtLauncher.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures is left as an exercise to the reader.

Mitigation against exploitation of EventVwr.exe

Replace the command line of the verb Open for Event Log files which launches the superfluous EventVwr.exe and additionally inhibit its elevation:
; Copyright © 2009-2017, Stefan Kanthak <‍skanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKCR,"evtfile\Shell\Open\Command",,32,"%16421%\MMC.exe %16421%\EventVwr.msc /L:""%L"""
HKCR,"evtxfile\Shell\Open\Command",,32,"%16421%\MMC.exe %16421%\EventVwr.msc /L:""%L"""

HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\EventVwr.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures is left as an exercise to the reader.

Mitigations against exploitation of .NET Framework profiler

Use an unprivileged Standard User account!

Mitigations against exploitation of vulnerable shortcuts in the start menu

Replace the command line of the shortcuts:
; Copyright © 2009-2017, Stefan Kanthak <‍skanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
ProfileItems = Shortcut

[Shortcut]
CmdLine     = 16421,,"MMC.exe %16421%\TaskSchd.msc"
;HotKey     =
IconIndex   = 1
IconPath    = 16421,,"MIGUIResource.dll"
InfoTip     = "@%16421%\MIGUIResource.dll,-202"
Name        = "Task Scheduler",0
SubDir      = "Accessories\System Tools"
;WorkingDir = 16421,
Note: addition of the shortcuts to the various other *.msc found in the directory %ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ is left as an exercise to the reader.

Note: always specify complete command lines in shortcuts, not just the name of a data or script file, and always use fully qualified pathnames!

Mitigation against exploitation of WUSA.exe

Inhibit its elevation:
; Copyright © 2009-2017, Stefan Kanthak <‍skanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\WUSA.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures is left as an exercise to the reader.

Mitigation against exploitation of MSHTA.exe, CScript.exe and WScript.exe

Inhibit their elevation:
; Copyright © 2009-2017, Stefan Kanthak <‍skanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\MSHTA.exe",2,"RunAsInvoker"
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\CScript.exe",2,"RunAsInvoker"
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\WScript.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures is left as an exercise to the reader.

Alternative mitigation

Launch an arbitrary other application instead of the superfluous CompMgmtLauncher.exe:
; Copyright © 2016-2017, Stefan Kanthak <‍skanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKLM,"SOFTWARE\Microsoft\Windows NT\Image File Execution Options\CompMgmtLauncher.exe","Debugger",0,"%16420%\.exe"
Download SENTINEL.EXE and save it as %SystemRoot%\.exe.

Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures as well as EventVwr.exe is left as an exercise to the reader.

Installation

Download the setup script UACAMOLE.INF, then right-click to display its context menu and click Install to run the installation.
The installation requires administrative privileges.

Note: on systems with AMD64 alias x64 processor architecture the installation must be run in the native (64-bit) execution environment!

Update

The setup script supports the update from any previous version: just install the current version!

Deinstallation

Not provided.

Trivia

UACaMole is pronounced like Whac-A-Mole.

Contact

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, errors, inaccuracies, omissions, vulnerabilities or weaknesses, …:
don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Notes: I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see a full (real) name as sender, not a nickname!
Emails in weird formats and without a proper sender name are likely to be discarded.
I abhor top posts and expect inline quotes in replies.


Copyright © 1995–2017 • Stefan Kanthak • <‍skanthak‍@‍nexgo‍.‍de‍>