Bypassing Windows Users Access Control

User Account Control (UAC) is a Windows OS security feature, it permits normal user to perform limited administrator functions if they’ve been granted the authority to do so. It also serves a secondary, but equally important purpose, of preventing normal users from performing specific actions that could pose a security risk to the system, by requiring users to have administrator-level permissions to perform specific functions.

UAC was created by Microsoft as an additional security control feature designed to limit the spread of malware and to keep users from making the system vulnerable. Have you experienced a situation where you need to install a program, but Windows won’t allow you because you’re not an administrator? "That is it"! Welcome to User Account Control (UAC).

UAC is a token-based access system where administrator accounts have full-access tokens issued upon successful login and standard users do not. The Security Identifier or SID-500 which end in 500 denotes the admin account while "501" denotes the guest account, etc.)

For a UAC bypass to be successful the following components need to be met: ● An intermediate-level integrity process. ● Login credentials acquired for a standard user account belonging to an administrators group on the system. ● The Windows executable must be signed by Microsoft code signing certificate. ● Windows executable must be located in a secure directory. ● Windows executable also must specify the auto-elevate property in their manifest

Windows UAC Bypasses

Bypassing UAC is similar to picking a lock to achieve privilege escalation. There are many windows UAC bypasses, below are a few of them:

Windows UAC bypass; courtesy of Dhiraj Mishra is super easy to execute (it can be done in less than 30 seconds). ● In the Windows Run prompt type: netplwiz.exe; ● Select the “Advanced” tab; ● Select the “Advanced” option on the Advanced user management section; ● The Local Users and Groups (Local) box will open; Select “Help Topics;” ● Right-click and select “View Source;” ● Select “File,” “Open;” ● Navigate to “Computer>>Local Disk (C:)>>Windows>>System32;” ● Change selection to “All Files;” ● Find and select “cmd.exe;” ● Right-click “cmd.exe” and select “Run as administrator.” Voila! Prestidigitation. An administrator cmd Prompt appears.
The “fodhelper.exe” UAC bypass. The “fodhelper.exe” program enables users to manage optional features within the Windows Settings “Apps & Features” screen. The bypass, which is similar to a previously published “eventvwr.exe” bypass, abuses the trust relationship of auto-elevation assigned to trusted binaries that Microsoft assigns to trusted folders such as C:\Windows\System32. Since “fodhelper.exe” is a trusted binary, Windows doesn’t prompt for administrator approval

The “fodhelper.exe” binary links to two unique registry keys, one of which is editable and can be weaponized to use in combination with malware capable of running scripts in the background in elevated administrator access.

HKCU:\software\classes\ms-settings\shell\open\command\(default) - (this Editable Registry Key associated with “fodhelper.exe” binary), it executes in memory, so there’s no file dropping or DLL hijacking involved. However, for this bypass to work properly, the user account must be part of the local administrator group.

It’s also possible to bypass UAC in Windows 7/8/10 & Server 2K8, 2K12, 2K16 by hijacking the COM object: {0A29FF9E-7F9C-4437–8B11-F424491E3931} Target apps: eventvwr.exe or mmc.exe.

This bypass is a bit more advanced and requires advanced knowledge of the Kali Linux OS and the Metasploit Framework (MSF) tool. Watch the YouTube video for step-by-step instructions or read Enigma0x3’s (Matt Nelson) “CVE-2018–8414: A case study in responsible disclosure.”