Researcher leveraged App Paths to bypass User Account Control in Windows 10

The security expert Matt Nelson has devised a new method that leverages App Paths to bypass the User Account Control (UAC) only on Windows 10.

The researcher detailed a bypass technique that is quite differed to the previous ones he devices, the new method “doesn’t rely on the IFileOperation/DLL hijacking approach”.

“I’ve previously blogged about two different bypass techniques, and this post will highlight an alternative method that also doesn’t rely on the IFileOperation/DLL hijacking approach.” reads a blog post published by Nelson. “This technique works on Windows 10 build 15031, where the vast majority of public bypasses have been patched.”

The expert explained that there are several signed binaries in Microsoft OS that auto-elevate due to their manifest. Nelson analyzed them and focused its investigation on sdclt.exe, which is the process associated with the Backup and Restore tool in Windows.

He discovered that sdclt.exe auto-elevates due to its manifest only in Windows 10.

The sdclt.exe starts control.exe to open up a Control Panel item in high-integrity context, the process obtains the path to control.exe by querying the App Path key for it within the HKEY_CURRENT_USER hive.

“Looking again at the execution flow, sdclt.exe queries the App Path key for control.exe within the HKEY_CURRENT_USER hive.” explained Nelson.

“Calls to HKEY_CURRENT_USER (or HKCU) from a high integrity process are particularly interesting. This often means that an elevated process is interacting with a registry location that a medium integrity process can tamper with,”

An attacker can modify the key that is retrieved by the sdclt.exe query, the expert managed to have cmd.exe returned to the query.

The method doesn’t allow for using parameters, in order to exploit it the attacker has to place the malicious payload to the disk.

“If you try to give the binary any parameters (e.g, C:\Windows\System32\cmd.exe /c calc.exe), it will interpret the entire string as the lpFile value to the ShellExecuteInfo structure, which is then passed over to ShellExecuteEx. Since that value doesn’t exist, it will not execute.” continues Nelson.

The expert published a PoC script to demonstrate the method, he explained that attack can be prevented by setting the UAC level to “Always Notify” or by removing the current user from the Local Administrators group.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – User Account Control, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.