Novel Exploit Chain Enables Windows UAC Bypass

  /     /     /  
Publicated : 23/11/2024   Category : security


Novel Exploit Chain Enables Windows UAC Bypass


Adversaries can exploit CVE-2024-6769 to jump from regular to admin access without triggering UAC, but Microsoft says its not really a vulnerability.



Researchers have flagged a weakness theyre tracking as CVE-2024-6769, calling it a combination user access control (UAC) bypass/
privilege escalation vulnerability
 in Windows. It could allow an authenticated attacker to obtain full system privileges, they warned.
Thats according to Fortra,
which assigned the issue
a medium severity score of 6.7 out of 10 on the Common Vulnerability Scoring System (CVSS) scale. Its proof-of-concept exploit demonstrates that you have the ability to shut down the system, stressed Tyler Reguly, associate director of security R&D at Fortra. There are certain locations on the drive where you can write and delete files that you couldnt previously. That includes, for example, C:Windows, so an attacker could take ownership over files owned by SYSTEM.
For its part, Microsoft acknowledged the research but said it does not consider this an actual vulnerability, because it falls under its concept of acceptability to have non-robust security boundaries.
To understand Fortras findings, we have to go back to Windows Vista, when Microsoft introduced the model of Mandatory Integrity Control (MIC). Simply put, MIC assigned every user, process, and resource a level of access, called an integrity level. Low integrity levels were afforded to all, medium for authenticated users, high for administrators, and system for only the most sensitive and powerful.
Alongside those integrity levels came UAC, a security mechanism that runs most processes and applications at the medium level by default, and requires explicit permission for any actions that require greater privileges than that. Typically, an admin-level user can upgrade simply by right-clicking a command prompt and selecting Run as Administrator.
By combining two exploit techniques, Fortra researchers demonstrated in their proof of concept how an already-authorized user could slither through this system, jumping across the security boundary imposed on the medium integrity level to obtain full administrative privileges, all without triggering UAC.
To exploit CVE-2024-6769, an attacker first must have a foothold in a targeted system. This requires the medium integrity-level privileges of an average user, and the account from which the attack is triggered must belong to the systems administrative group (the type of account that could level up to admin privileges, if not for UAC being in its way).
The first step in the attack involves
remapping the targeted systems root drive
— such as C: — to a location under their control. This will also shift the system32 folder, which many services rely on to load critical system files.
One such service is the CTF Loader, ctfmon.exe, which runs without administrator privileges at a high integrity level. If the attacker places a specially crafted, copycat DLL in the copycat system32 folder, ctfmon.exe will load it and execute the attackers code at that high integrity level.
Next, if the attacker wishes to obtain full administrative privileges, they can
poison the activation context cache
, which Windows uses to load specific versions of libraries. To do this, they craft an entry in the cache pointing to a malicious version of a legitimate system DLL, contained in an attacker-generated folder. Through a specially crafted message to the Client/Server Runtime Subsystem (CSRSS) server, the fake file is loaded by a process that has administrator privileges, granting the attacker full control over the system.
Despite the potential for privilege escalation, Microsoft refused to accept the issue as a vulnerability. After Fortra reported it, the company responded by pointing to the non-boundaries section of the
Microsoft Security Servicing Criteria for Windows
, which outlines how some Windows components and configurations are explicitly not intended to provide a robust security boundary. Under the pertinent Administrator to Kernel section, it reads:
Essentially, Reguly explains, They see the admin-to-system boundary as a nonexistent boundary, because admin is trusted on a host. In other words, Microsoft doesnt consider CVE-2024-6769 a vulnerability if an admin user could ultimately perform the same system-level actions anyway, subject to UAC approval.
In a statement to Dark Reading, a Microsoft spokesperson highlighted that The method requires membership in the Administrator group, so the so-called technique is just leveraging an intended permission or privilege which does not cross a security boundary.
Reguly and Fortra disagree with Microsofts perspective. When UAC was introduced, I think we were all sold on the idea that UAC was this great new security feature, and Microsoft has a history of fixing bypasses for security features, he says. So if theyre saying that this is a trust boundary that is acceptable to traverse, really what theyre saying to me is that UAC is not a security feature. Its some sort of helpful mechanism, but its not actually security related. I think its a really strong philosophical difference.
Philosophical differences aside, Reguly stresses that businesses need to be aware of the risk in allowing lower-integrity admins to escalate their privileges to attain full system controls.
At the end of a CVE-2024-6769 exploit, an attacker would have full reign to manipulate or delete critical system files, upload malware, establish persistence, disable security features, access potentially sensitive data, and more.
Thankfully, only administrators are impacted by this, which means that most of your standard users are unaffected, Fortra noted in an FAQ to reporters. For administrators, it is important to ensure that you are not running binaries whose origins cannot be verified. For those admins, however, vigilance is the best defense at the moment.

Last News

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Novel Exploit Chain Enables Windows UAC Bypass