In today's post we'll look at yet another way to bypass UAC using the Display Color Calibration tool, hereafter referred to as "DCCW".
DCCW has already been exploited in the past to bypass UAC, more specifically, by leveraging DLL sideloading:
DccwBypassUAC
This research started by helping out a friend with display issues some months ago, and stumbling upon the DCCW tool, or more specifically, the following blog post:
Using the Display Color Calibration Tool (DCCW.exe) in Windows 7 to Get the Most From your Display
Being inspired by Matt Nelson, I decided to have a closer look as to how and why this may be a UAC bypass.
What follows below is purely a Proof of Concept, as you would already need to have compromised the machine (or bypassed UAC, or let the user allow) in order to execute this.
Regardless, it can be used for persistence, and I'd still like for you to following along on my journey inside the wondrous world of UAC bypasses :-)
This has been tested on: Windows 10 and Windows 8.1 x64 and x86.
Prerequisites:
- User has to be member of the local administrator group.
- UAC is ... already disabled, or at a low setting, or the user confirmed the UAC prompt.
DCCW is a Microsoft signed binary and will auto-elevate itself due to its manifest.
Figure 1 - verified, signed Microsoft binary (using Sigcheck) |
Figure 2 - autoElevate is set to 'true' |
Running through the DCCW wizard, we can happily click next, until the end of the wizard the following is displayed:
Figure 3 - end of DCCW wizard |
Note the automatically enabled or ticked checkbox:
"Start ClearType Tuner when I click Finish to ensure that text appears correctly (Recommended)"
Launching procmon and executing DCCW; the following can be observed:
Figure 4 - DCCW loading CTTune |
As you notice, DCCW attempts to open, and read, the subkey in:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Image File Execution Options (IFEO) has several uses, and can for example be used to prevent a program from starting, For example, in the past, malware has abused IFEO to hijack processes of antivirus programs, so they would not be able to start.
Back on topic, creating an IFEO using CTTune, we can start anything at the highest integrity (and circumvent the UAC prompt) ... Including PowerShell :-)
Figure 5 - Launch of DCCW, note the High integrity |
and...
Figure 6 - PowerShell started with High integrity (normal level of integrity is Medium) |
To try this yourself, create a new key in:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options named CTTune.exe, consequently create a new value named 'Debugger' and in the Data section, place whatever you want. Example:
Figure 7 - CTTune IFEO |
End-result:
Figure 8 - PowerShell running as administrator, with highest integrity |
This attack is more theoretical, rather than practical, due to the need for initial admin permissions, the DCCW wizard appearing, and the user having the need to click through. The main point here is that no UAC windows will appear asking the user for permission, once the IFEO is set, and DCCW is started. Some other points to consider:
- Users love to click on things, especially 'Next' in wizards :-)
- You can try social engineering to entice the user in allowing UAC, & clicking through
- You can try extending the PowerShell script below, by simulating mouse clicks or button presses in PowerShell - effectively impersonating the user.
You may find the PowerShell script here on Github:
https://github.com/bartblaze/dccwUACBypass
If I made any mistake(s) in the script, please do let me know!
Finding UAC bypasses
If you like to try new things, then trying to find a UAC bypass can definitely prove to be a challenge and fun! While my story here was both successful and not - I found a theoretical UAC bypass, but with limitations, it's still good to go out of your way and do something you're less familiar with.
For finding UAC bypasses, or other strange, weird or old Windows artifacts and binaries, I can definitely recommend the following tools:
Process Explorer
https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx
Process Monitor
https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
Sigcheck
https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx
PEViewer/RogueKillerPE
http://www.adlice.com/download/roguekillerpe/
IDA Pro Free:
https://www.hex-rays.com/products/ida/support/download_freeware.shtml
A Windows system, and a C:\Windows\System32 and/or C:\Windows\SysWOW64 folder.
Additionally, have a look at the Resources section at the end of this post.
Prevention
Obviously, you would like to prevent these specific bypasses from ever occurring. Please find below some recommendations I've compiled:
- The most fireproof way is to simply not use an account with administrator permissions. Read:
How to change a Windows 10 user account type and why
Tip: create a separate, default/standard user account for friends and family that may be less technically adept. - Consider setting UAC to 'Always notify'. Read:
Change User Account Control settings in Windows 10/8
Tip: If you are in an organisation, you may want to read:
How do I change the behavior of User Account Control by using Group Policy?
and also read about AppLocker, for example to restrict DCCW - there is no point in someone running this binary in an organisation.
AppLocker & Lock down Windows 10 to specific apps
Note: there are AppLocker bypasses as well :-) See:
Bypassing Application Whitelisting with BGInfo
Additionally, have a look at the Resources section at the end of this post.
Conclusions
UAC bypasses are an interesting domain: while Microsoft seems to take a 'lighter' approach in regards to these specific bypasses, it doesn't mean they aren't being looked at. For example, latest releases of Windows 10 fix several UAC bypasses.
My hope is that, by accumulating the info in this blog post and following along my journey, you may find other UAC bypasses, or other cool stuff lying around :-)
Keep in mind that UAC bypasses are definitely out there in the wild - not only by pentesters, but also by attackers, whether cybercrime or APTs.
As always, feedback is appreciated.
Resources
Defeating Windows User Account Control (UACME)
Dridex Returns With Windows UAC Bypass Method
Enigma0x3's blog (tons of good stuff in there)
PowerShell-Suite/Bypass-UAC
User Account Control: Inside Windows 7 User Account Control
User Account Control Step-by-Step Guide
No comments:
Post a Comment