Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

Mitigate exploits for Windows'® UAC

Purpose

Mitigate exploits for the auto-elevation (mis)feature of the braindead security theatre abomination known as UAC.

Vulnerabilities

The vulnerabilities can be exploited in standard installations of Windows 7 and newer versions of Windows NT since Windows is still setup without strict privilege separation, i.e. without separate accounts for user(s) and administrator(s)!

Vulnerabilities of CompMgmtLauncher.exe

The superfluous application CompMgmtLauncher.exe is used is to start the Computer Management snap-in CompMgmt.msc of the Microsoft Management Console; it is one of the about 70 applications shipped with Windows 7 and newer versions of Windows NT which have auto-elevation enabled.
It is superfluous since MMC.exe has auto-elevation enabled too.
It is superfluous since the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\CompMgmt.msc" launches Computer Management directly.

CompMgmtLauncher.exe has a severe design bug: instead of launching the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\CompMgmt.msc" it launches the shortcut %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk alias %ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk.

An unprivileged user can set the environment variable ALLUSERSPROFILE to an arbitrary directory, create the subdirectory Microsoft\Windows\Start Menu\Programs\Administrative Tools\ there and then create the shortcut Computer Management.lnk with an arbitrary command line.
In standard installations of Windows 7 and newer versions of Windows NT CompMgmtLauncher.exe launches this command line without UAC prompt with administrative privileges.

Note: since the command line %SystemRoot%\System32\CompMgmt.msc of the shortcut %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk specifies no executable file CompMgmtLauncher.exe has the (following) vulnerability of EventVwr.exe too.

Vulnerability of EventVwr.exe

The superfluous application EventVwr.exe is used is to start the Event Viewer snap-in EventVwr.msc of the MMC.exe; it is one of the about 70 applications shipped with Windows 7 and newer versions of Windows NT which have auto-elevation enabled.
It is superfluous since MMC.exe has auto-elevation enabled too.
It is superfluous since the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\EventVwr.msc" launches Event Viewer directly.

Note: EventVwr.exe exists for backward compatibility with Windows NT4 and earlier versions only; in Windows 2000 the standalone Event Viewer application was replaced by the snap-in EventVwr.msc.

EventVwr.exe has a severe design bug: instead of launching the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\EventVwr.msc" it calls the Win32 function ShellExecute() to launch EventVwr.msc; ShellExecute() reads the (unnamed) default values of the Registry entries [HKEY_CLASSES_ROOT\.msc] and [HKEY_CLASSES_ROOT\mscfile\Shell\Open\Command] to evaluate the command line to launch EventVwr.msc.

The Registry key [HKEY_CLASSES_ROOT] is the overlay of the Registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Classes] with the Registry key [HKEY_CURRENT_USER\Software\Classes], i.e. the latter takes precedence.

An unprivileged user can create the Registry key [HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\Command] and write an arbitrary command line to its (unnamed) default value, or create the Registry key [HKEY_CURRENT_USER\Software\Classes\.msc] and write a new Programmatic Identifier (foobar for example) to its (unnamed) default value, then create the Registry key [HKEY_CURRENT_USER\Software\Classes\foobar\Shell\Open\Command] and write an arbitrary command line to its (unnamed) default value,
In standard installations of Windows 7 and newer versions of Windows NT EventVwr.exe launches this command line without UAC prompt with administrative privileges.

Vulnerability of shortcuts in the start menu

The shortcuts for all snap-ins of the Microsoft Management Console in the directories "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools" and "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools" show the same vulnerability as EventVwr.exe.

Mitigations

With the mitigations presented here an unprivileged user can still execute CompMgmtLauncher.exe and EventVwr.exe, but they run with the unprivileged user's credentials, not elevated; when they launch %SystemRoot%\System32\CompMgmt.msc or %SystemRoot%\System32\EventVwr.msc, elevation is handled during start of %SystemRoot%\System32\MMC.exe.

Note: the mitigations are designed for and have been tested on Windows 7; adaption to newer versions of Windows NT is left as an exercise to the reader.

Mitigation for exploiting CompMgmtLauncher.exe

Replace the command line of the Computer Management context menu entry of the Computer icon which launches the superfluous CompMgmtLauncher.exe and additionally inhibit its elevation:
; Copyright © 2016-2017, Stefan Kanthak <‍skanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKCR,"CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\Shell\Manage\Command",,32,"%16421%\MMC.exe %16421%\CompMgmt.msc"

HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\CompMgmtLauncher.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures is left as an exercise to the reader.

Mitigation for exploiting EventVwr.exe

Replace the command line of the verb Open for Event Log files which launches the superfluous EventVwr.exe and additionally inhibit its elevation:
; Copyright © 2009-2017, Stefan Kanthak <‍skanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKCR,"evtfile\Shell\Open\Command",,32,"%16421%\MMC.exe %16421%\EventVwr.msc /L:""%L"""
HKCR,"evtxfile\Shell\Open\Command",,32,"%16421%\MMC.exe %16421%\EventVwr.msc /L:""%L"""

HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\EventVwr.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures is left as an exercise to the reader.

Mitigations for exploiting vulnerable shortcuts in the start menu

Replace the command line of the shortcuts:
; Copyright © 2009-2017, Stefan Kanthak <‍skanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
ProfileItems = Shortcut

[Shortcut]
CmdLine     = 16421,,"MMC.exe %16421%\TaskSchd.msc"
;HotKey     =
IconIndex   = 1
IconPath    = 16421,,"MIGUIResource.dll"
InfoTip     = "@%16421%\MIGUIResource.dll,-202"
Name        = "Task Scheduler",0
SubDir      = "Accessories\System Tools"
;WorkingDir = 16421,
Note: addition of the shortcuts to various *.msc found in the directory "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools" is left as an exercise to the reader.

Note: always specify complete command lines in shortcuts, not just the name of a data or script file, and always use fully qualified pathnames!

Alternative mitigation

Launch an arbitrary other application instead of the superfluous CompMgmtLauncher.exe:
; Copyright © 2016-2017, Stefan Kanthak <‍skanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKLM,"SOFTWARE\Microsoft\Windows NT\Image File Execution Options\CompMgmtLauncher.exe","Debugger",0,"%16420%\.exe"
Download SENTINEL.EXE and save it as %SystemRoot%\.exe.

Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures as well as EventVwr.exe is left as an exercise to the reader.

Installation

Download the setup script UACAMOLE.INF, then right-click to display its context menu and click Install to run the installation.
The installation requires administrative privileges.

Note: on systems with AMD64 alias x64 processor architecture the installation must be run in the native (64-bit) execution environment!

Deinstallation

Not provided.

Contact

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, errors, inaccuracies, omissions, vulnerabilities or weaknesses, …:
don't hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Notes: I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see a full (real) name as sender, not a nickname!
Emails in weird formats and without a proper sender name are likely to be discarded.
I abhor top posts and expect inline quotes in replies.


Copyright © 1995-2017 • Stefan Kanthak • <‍skanthak‍@‍nexgo‍.‍de‍>