“Do you want to allow the following program to make changes to this computer?”
Any Windows user has probably seen more than his or her fair share of prompts like these.
It may be annoying at times but this is part of the User Account Control (UAC) security system of Windows XP through Windows 10. It prevents programs and processes from making unauthorized changes to your computer without approval from an administrator.
It’s vital that you leave this enabled so you’ll have another level of protection against malicious software that’s attempting to do system-wide modifications to your machine. Without UAC prompts, malware can automatically make changes to your PC unhindered.
But is Windows UAC reliable? Not exactly says security researcher Matt Nelson. According to Threatpost, he found an exploit that could totally bypass UAC and run high-level commands including malicious scripts without leaving any trace nor evidence.
Since this exploit does not involve any malware installed nor any files dropped, Nelson says that not even security solutions like antivirus software could detect this type of attack.
The vulnerability he discovered is in Windows’ own Event Viewer, the feature that lets users review system event logs. He exploited this process (eventvwr.exe) to hijack the Microsoft Management Console via registry processes and then launch a Powershell session.
Within Powershell, he could then run any arbitrary code he desires without leaving a single trace. Due to the nature of this attack, aside from antivirus and computer forensics tools, it may even slip through other system administrators undetected.
According to Nelson’s blog post:
“Due to the fact that I was able to hijack the process being started, it is possible to simply execute whatever malicious PowerShell script/command you wish. This means that code execution has been achieved in a high integrity process (bypassing UAC) without dropping a DLL or other file down to the file system. This significantly reduces the risk to the attacker because they aren’t placing a traditional file on the file system that can be caught by AV/HIPS or forensically identified later.”
He added that he already informed Microsoft about this flaw but he was told that UAC exploits such as this are not critical enough and do not need patching.
It’s a sound argument from Microsoft since this particular exploit requires the attacker to already have control of the target machine, meaning it is already compromised in the first place.
Microsoft told Threatpost via a spokesperson statement that it’s “not a vulnerability but a method of bypassing a defense-in-depth feature.” Since it is a post-exploit technique they recommend that “customers follow best practices and not run machines in administrator mode full-time” to prevent this method of attack.
It is still a valid concern though since this technique does not require any files like DLLs or process injections to bypass the UAC. This could be an attack that hackers could build on in the future and it may be a springboard for other traceless malware attacks.
As for preventing this exploit, Nelson recommends that Windows system administrators set the UAC level to “Always Notify,” and quite obviously, remove the attacker from the local administrators’ security group.