Thursday, June 22, 2017

Display Color Calibration tool DCCW and UAC bypasses



In today's post we'll look at yet another way to bypass UAC using the Display Color Calibration tool, hereafter referred to as "DCCW".

DCCW has already been exploited in the past to bypass UAC, more specifically, by leveraging DLL sideloading:
DccwBypassUAC

This research started by helping out a friend with display issues some months ago, and stumbling upon the DCCW tool, or more specifically, the following blog post:
Using the Display Color Calibration Tool (DCCW.exe) in Windows 7 to Get the Most From your Display

Being inspired by Matt Nelson, I decided to have a closer look as to how and why this may be a UAC bypass.

What follows below is purely a Proof of Concept, as you would already need to have compromised the machine (or bypassed UAC, or let the user allow) in order to execute this.

Regardless, it can be used for persistence, and I'd still like for you to following along on my journey inside the wondrous world of UAC bypasses  :-)

This has been tested on: Windows 10 and Windows 8.1 x64 and x86.

Prerequisites:

  • User has to be member of the local administrator group.
  • UAC is ... already disabled, or at a low setting, or the user confirmed the UAC prompt.

DCCW is a Microsoft signed binary and will auto-elevate itself due to its manifest.

Figure 1 - verified, signed Microsoft binary (using Sigcheck)

Figure 2 - autoElevate is set to 'true'

Running through the DCCW wizard, we can happily click next, until the end of the wizard the following is displayed:

Figure 3 - end of DCCW wizard

Note the automatically enabled or ticked checkbox:
"Start ClearType Tuner when I click Finish to ensure that text appears correctly (Recommended)"

Launching procmon and executing DCCW; the following can be observed:

Figure 4 - DCCW loading CTTune

As you notice, DCCW attempts to open, and read, the subkey in:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Image File Execution Options (IFEO) has several uses, and can for example be used to prevent a program from starting, For example, in the past, malware has abused IFEO to hijack processes of antivirus programs, so they would not be able to start.

Back on topic, creating an IFEO using CTTune, we can start anything at the highest integrity (and circumvent the UAC prompt) ... Including PowerShell :-)


Figure 5 - Launch of DCCW, note the High integrity

and...

Figure 6 - PowerShell started with High integrity (normal level of integrity is Medium)

To try this yourself, create a new key in:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options named CTTune.exe, consequently create a new value named 'Debugger' and in the Data section, place whatever you want. Example:

Figure 7 - CTTune IFEO

End-result:

Figure 8 - PowerShell running as administrator, with highest integrity


This attack is more theoretical, rather than practical, due to the need for initial admin permissions, the DCCW wizard appearing, and the user having the need to click through. The main point here is that no UAC windows will appear asking the user for permission, once the IFEO is set, and DCCW is started. Some other points to consider:

  • Users love to click on things, especially 'Next' in wizards :-)
  • You can try social engineering to entice the user in allowing UAC, & clicking through
  • You can try extending the PowerShell script below, by simulating mouse clicks or button presses in PowerShell - effectively impersonating the user.

You may find the PowerShell script here on Github:
https://github.com/bartblaze/dccwUACBypass

If I made any mistake(s) in the script, please do let me know!


Finding UAC bypasses


If you like to try new things, then trying to find a UAC bypass can definitely prove to be a challenge and fun! While my story here was both successful and not - I found a theoretical UAC bypass, but with limitations, it's still good to go out of your way and do something you're less familiar with.

For finding UAC bypasses, or other strange, weird or old Windows artifacts and binaries, I can definitely recommend the following tools:


Process Explorer
https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx

Process Monitor
https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx

Sigcheck
https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx

PEViewer/RogueKillerPE
http://www.adlice.com/download/roguekillerpe/

IDA Pro Free:
https://www.hex-rays.com/products/ida/support/download_freeware.shtml

A Windows system, and a C:\Windows\System32 and/or C:\Windows\SysWOW64 folder.


Additionally, have a look at the Resources section at the end of this post.


Prevention

Obviously, you would like to prevent these specific bypasses from ever occurring. Please find below some recommendations I've compiled:




Additionally, have a look at the Resources section at the end of this post.



Conclusions

UAC bypasses are an interesting domain: while Microsoft seems to take a 'lighter' approach in regards to these specific bypasses, it doesn't mean they aren't being looked at. For example, latest releases of Windows 10 fix several UAC bypasses.

My hope is that, by accumulating the info in this blog post and following along my journey, you may find other UAC bypasses, or other cool stuff lying around :-)

Keep in mind that UAC bypasses are definitely out there in the wild - not only by pentesters, but also by attackers, whether cybercrime or APTs.

As always, feedback is appreciated.



Resources

Defeating Windows User Account Control (UACME)
Dridex Returns With Windows UAC Bypass Method
Enigma0x3's blog (tons of good stuff in there)
PowerShell-Suite/Bypass-UAC
User Account Control: Inside Windows 7 User Account Control
User Account Control Step-by-Step Guide