Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

Mitigate some Exploits for Windows’® UAC

Purpose

Mitigate some exploits for vulnerabilities of the auto-elevation (mis)feature of the braindead security theatre abomination known as UAC.

Reason

As shipped by Microsoft®, all versions of Windows® are unsafe: Windows is still setup without strict privilege separation, i.e. without separate accounts for (unprivileged) user(s) and (privileged) administrator(s)!

Vulnerabilities

The following vulnerabilities can be exploited in standard installations of Windows 7 and newer versions of Windows NT, without user interaction!

Note: only vulnerabilities and exploits for which a mitigation exists are presented here, including the mitigation!

Vulnerabilities of CompMgmtLauncher.exe

The superfluous application Computer Management Snapin Launcher CompMgmtLauncher.exe is used to start the Computer Management snap-in CompMgmt.msc of the Microsoft Management Console; it is one of the about 70 applications shipped with Windows 7 and newer versions of Windows NT which have auto-elevation enabled.

Note: it is superfluous because the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\CompMgmt.msc" launches Computer Management directly, and MMC.exe has auto-elevation enabled too.

CompMgmtLauncher.exe has a severe design bug: instead of launching the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\CompMgmt.msc" it launches the shortcut %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk alias %ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk.

An unprivileged user can set the environment variable ALLUSERSPROFILE to an arbitrary directory, create the subdirectory Microsoft\Windows\Start Menu\Programs\Administrative Tools\ there and then create the shortcut Computer Management.lnk specifying an arbitrary (rogue) command line in this subdirectory.
In standard installations of Windows 7 and newer versions of Windows NT, CompMgmtLauncher.exe launches this command line without UAC prompt with administrative privileges.

Note: because the command line %SystemRoot%\System32\CompMgmt.msc of the shortcut %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk specifies no executable file, CompMgmtLauncher.exe has the (following) vulnerability of EventVwr.exe too.

Vulnerability of EventVwr.exe

The superfluous application Event Viewer Snapin Launcher EventVwr.exe is used to start the Event Viewer snap-in EventVwr.msc of the MMC.exe; it is one of the about 70 applications shipped with Windows 7 and newer versions of Windows NT which have auto-elevation enabled.

Note: it is superfluous because the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\EventVwr.msc" launches Event Viewer directly, and MMC.exe has auto-elevation enabled too.

Note: EventVwr.exe exists for backward compatibility with Windows NT4 and earlier versions of Windows NT only; in Windows 2000 the standalone Event Viewer application was replaced by the snap-in EventVwr.msc.

EventVwr.exe has a severe design bug: instead of launching the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\EventVwr.msc" it calls the Win32 function ShellExecute() to launch EventVwr.msc; ShellExecute() reads the (unnamed) default values of the Registry entries [HKEY_CLASSES_ROOT\.msc] and [HKEY_CLASSES_ROOT\mscfile\Shell\Open\Command] to evaluate the command line to launch EventVwr.msc.

The Registry key [HKEY_CLASSES_ROOT] is the overlay of the Registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Classes] with the Registry key [HKEY_CURRENT_USER\Software\Classes], i.e. the latter takes precedence.

An unprivileged user can create the Registry key [HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\Command] and write an arbitrary (rogue) command line to its (unnamed) default value, or create the Registry key [HKEY_CURRENT_USER\Software\Classes\.msc] and write an arbitrary (rogue) Programmatic Identifier (foobar for example) to its (unnamed) default value, then create the Registry key [HKEY_CURRENT_USER\Software\Classes\foobar\Shell\Open\Command] and write an arbitrary (rogue) command line to its (unnamed) default value.

In standard installations of Windows 7 and newer versions of Windows NT, EventVwr.exe launches this command line without UAC prompt with administrative privileges.

Vulnerability of MMC.exe

Multiple snap-ins of the Microsoft Management Console are implemented using the .NET Framework.

When .NET Framework is loaded, its Common Language Runtime execution engine evaluates the environment variables COR_ENABLE_PROFILING and COR_PROFILER, since .NET Framework 4 additionally COR_PROFILER_PATH, and loads the COM object specified by them as Code Profiler:

When both environment variable checks pass, the CLR creates an instance of the profiler in a similar manner to the COM CoCreateInstance function. The profiler is not loaded through a direct call to CoCreateInstance. Therefore, a call to CoInitialize, which requires setting the threading model, is avoided.
The CLR execution engine but fails to implement the security checks added to the Win32 function CoCreateInstance in Windows Vista:
The Component Object Model (COM) leverages the registry to maintain information about all of the COM objects installed on a computer. This registry hive (HKEY_CLASSES_ROOT) is a virtual registry hive, which allows for both per-user and per-machine object registration. Per-user COM objects configurations are stored in HKEY_CURRENT_USER\Software\Classes, while per-machine configurations are stored in HKEY_LOCAL_MACHINE\Software\Classes. Typically, per-user configurations take precedence.

Beginning with Windows Vista® and Windows Server® 2008, if the integrity level of a process is higher than Medium, the COM runtime ignores per-user COM configuration and accesses only per-machine COM configuration. This action reduces the surface area for elevation of privilege attacks, preventing a process with standard user privileges from configuring a COM object with arbitrary code and having this code called from an elevated process.

An unprivileged user can set the environment variables and create the Registry keys and entries below [HKEY_CURRENT_USER\Software\Classes\CLSID] to register an arbitrary (rogue) DLL as COM object.

In standard installations of Windows 7 and newer versions of Windows NT, MMC.exe loads this DLL without UAC prompt with administrative privileges.

Note: this vulnerability allows arbitrary code execution in every application which uses .NET Framework!

Vulnerability of shortcuts in the start menu

The shortcuts for all snap-ins of the Microsoft Management Console in the directories %ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\ and %ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ show the same vulnerability as EventVwr.exe: Windows Explorer processes their command lines %SystemRoot%\System32\‹filename›.msc just like the Win32 function ShellExecute() does.

Blended vulnerabilities

WUSA.exe, the Windows Update Standalone Installer, is yet another of the about 70 applications shipped with Windows 7 and newer versions of Windows NT which have auto-elevation enabled.
Its /Extract:‹destination› command-line switch allows to extract the contents of arbitrary cabinet archives into arbitrary destination directories. Because it runs elevated this feature can be (ab)used to plant DLLs loaded and executed by other applications which have auto-elevation enabled to gain administrative privileges:
MMC.exe

The Event Viewer snap-in EventVwr.msc of the Microsoft Management Console MMC.exe loads and executes ELS.dll, which in turn loads and executes ELSExt.dll; because ELSExt.dll is not shipped with Windows, an arbitrary (rogue) DLL with this filename can be planted in the system directory %SystemRoot%\System32\, from where it is then loaded and executed with administrative privileges.

CliConfg.exe

The SQL Client Configuration Utility CliConfg.exe has auto-elevation enabled too.
It loads and executes NTWDBLib.dll; because NTWDBLib.dll is not shipped with Windows, an arbitrary (rogue) DLL with this filename can be planted in the system directory %SystemRoot%\System32\, from where it is then loaded and executed with administrative privileges.

SysPrep.exe

The System Preparation Utility SysPrep.exe has auto-elevation enabled too.
In Windows 7 and Windows Server 2008 R2, it loads and executes CryptBase.dll, CryptSP.dll, DWMAPI.dll, RPCRtRemote.dll and UXTheme.dll; because these DLLs don’t exist in its application directory %SystemRoot%\System32\SysPrep\, arbitrary (rogue) DLLs with these filenames can be planted there, from where they are then loaded and executed with administrative privileges.

SetupSQM.exe

The Setup SQM Tool SetupSQM.exe has auto-elevation enabled too.
It loads and executes WDSCore.dll; because WDSCore.dll does not exist in its application directory %SystemRoot%\System32\OoBE\, an arbitrary (rogue) DLL with this filename can be planted there, from where it is then loaded and executed with administrative privileges.

MCX2Prov.exe

The MCX2 Provisioning Library MCX2Prov.exe has auto-elevation enabled too.
In Windows 7 it loads and executes CryptBase.dll; because CryptBase.dll does not exist in its application directory %SystemRoot%\eHome\, an arbitrary (rogue) DLL with this filename can be planted there, from where it is then loaded and executed with administrative privileges.

PkgMgr.exe

The Windows Package Manager PkgMgr.exe has auto-elevation enabled too.
It calls DISMHost.exe to perform some of its tasks, which loads and executes PEProvider.dll; because PEProvider.dll is not shipped with Windows, an arbitrary (rogue) DLL with this filename can be planted in its application directory %SystemRoot%\System32\DISM\, from where it is then loaded and executed with administrative privileges.

MSHTA.exe, CScript.exe and WScript.exe

In Windows 7 and Windows Server 2008 R2, the Microsoft HTML Application Host MSHTA.exe, the Console Based Script Host CScript.exe and the Windows Based Script Host WScript.exe are shipped without embedded application manifest.
Windows’ module loader therefore evaluates external (rogue) application manifests MSHTA.exe.manifest, CScript.exe.manifest and WScript.exe.manifest planted in the system directory %SystemRoot%\System32\. These application manifests can enable auto-elevation, resulting in execution of every HTML Application *.hta, every JScript *.js or *.jse, every VBScript *.vbs or *.vbe, as well as every other script *.wsf or *.wsh for the Windows Script Host with administrative privileges.

Mitigations

With the mitigations presented here an unprivileged user can still execute CompMgmtLauncher.exe and EventVwr.exe, but they run with the unprivileged user’s credentials, not elevated; when they launch %SystemRoot%\System32\CompMgmt.msc or %SystemRoot%\System32\EventVwr.msc, elevation is handled during start of %SystemRoot%\System32\MMC.exe.

Note: the mitigations are designed for and have been tested on Windows 7; their adaption to newer versions of Windows NT is left as an exercise to the reader.

Mitigation against exploitation of CompMgmtLauncher.exe

Replace the command line of the Computer Management context menu entry of the Computer icon which launches the superfluous CompMgmtLauncher.exe and additionally inhibit its elevation:
; Copyright © 2016-2018, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKCR,"CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\Shell\Manage\Command",,32,"%16421%\MMC.exe %16421%\CompMgmt.msc"

HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\CompMgmtLauncher.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures is left as an exercise to the reader.

Caveat: NEVER use the reserved and implementation-defined Registry (sub)keys WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in the proper execution environment!

Mitigation against exploitation of EventVwr.exe

Replace the command line of the verb Open for Event Log files which launches the superfluous EventVwr.exe and additionally inhibit its elevation:
; Copyright © 2009-2018, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKCR,"evtfile\Shell\Open\Command",,32,"%16421%\MMC.exe %16421%\EventVwr.msc /L:""%L"""
HKCR,"evtxfile\Shell\Open\Command",,32,"%16421%\MMC.exe %16421%\EventVwr.msc /L:""%L"""

HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\EventVwr.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures is left as an exercise to the reader.

Caveat: NEVER use the reserved and implementation-defined Registry (sub)keys WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in the proper execution environment!

Mitigations against exploitation of .NET Framework profiler

Use an unprivileged Standard User account!
Additionally use AppLocker or Software Restriction Policies alias SAFER to prevent execution of DLLs from user-writable directories.

Mitigations against exploitation of vulnerable shortcuts in the start menu

Replace the command line of the shortcuts:
; Copyright © 2009-2018, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
ProfileItems = Shortcut

[Shortcut]
CmdLine     = 16421,,"MMC.exe %16421%\TaskSchd.msc"
;HotKey     =
IconIndex   = 1
IconPath    = 16421,,"MIGUIResource.dll"
InfoTip     = "@%16421%\MIGUIResource.dll,-202"
Name        = "Task Scheduler",0
SubDir      = "Accessories\System Tools"
;WorkingDir = 16421,
Note: addition of the shortcuts to the various other *.msc found in the directory %ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ is left as an exercise to the reader.

Note: always specify complete command lines in shortcuts, not just the name of a data or script file, and always use fully qualified pathnames!

Mitigation against exploitation of WUSA.exe

Inhibit its elevation:
; Copyright © 2009-2018, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\WUSA.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures is left as an exercise to the reader.

Caveat: NEVER use the reserved and implementation-defined Registry (sub)keys WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in the proper execution environment!

Mitigation against exploitation of MSHTA.exe, CScript.exe and WScript.exe

Inhibit their elevation:
; Copyright © 2009-2018, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\MSHTA.exe",2,"RunAsInvoker"
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\CScript.exe",2,"RunAsInvoker"
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\WScript.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures is left as an exercise to the reader.

Caveat: NEVER use the reserved and implementation-defined Registry (sub)keys WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in the proper execution environment!

Alternative mitigation

Launch an arbitrary other application instead of the superfluous CompMgmtLauncher.exe:
; Copyright © 2016-2018, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKLM,"SOFTWARE\Microsoft\Windows NT\Image File Execution Options\CompMgmtLauncher.exe","Debugger",0,"%16420%\.exe"
Download SENTINEL.EXE and save it as %SystemRoot%\.exe.

Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures as well as EventVwr.exe is left as an exercise to the reader.

Caveat: NEVER use the reserved and implementation-defined Registry (sub)keys WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in the proper execution environment!

Installation

Download the setup script UACAMOLE.INF, then right-click to display its context menu and click Install to run the installation.
The installation requires administrative privileges.

Note: on systems with AMD64 alias x64 processor architecture, the installation must be run in the native (64-bit) execution environment!

Update

The setup script supports the update from any previous version: just install the current version!

Deinstallation

Not provided.

Trivia

UACaMole is pronounced like Whac-A-Mole.

Contact

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, errors, inaccuracies, omissions, vulnerabilities or weaknesses, …:
don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Notes: I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see a full (real) name as sender, not a nickname!
Emails in weird formats and without a proper sender name are likely to be discarded.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!
Copyright © 1995–2018 • Stefan Kanthak • <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>