A new approach for Bypassing Windows 10 UAC with mock folders and DLL hijacking

A new approach for Bypassing Windows 10 UAC with mock folders and DLL hijacking

A new technique comes into highlight in which an attacker uses a simplified process of  DLL hijacking and mock directories to bypass Windows 10's UAC security feature and run elevated commands without alerting an user. Windows UAC is a protection mechanism which asks the user to confirm if they wish to run a high-risk application before it is executed.

Daniel Gebert (a security researcher) illustrates a technique in which he bypassed the Windows 10 User Account Control (UAC) through a combination of DLL hijacking techniques and mock directories.

Mock Directories in Windows 10

Mock directories are the folders with a trailing space. lets understand this by an example. "C:\Windows\System32" here this directory is a trusted location on Windows machines, a mock directory would look like similar to directory mentioned above but it contains trailing space in between them like see space between the Windows and System32 in this directory "C:\Windows\ System32". Daniel used Powershell to create mock directories which comes with one restriction. A mock directory must include a sub directory.

Using the above example, It is not possible to create "C:\Windows " but it is possible to create "C:\Windows \System32". Similarly, It is not possible to create mock directories via Windows Explorer by simply creating a New folder. But there are some other ways to create this type of folder in Windows 10.
  • CMD: md "\\?\C:\Windows \System32"
  • Powershell: New-Item "\\?\C:\Windows \System32" -ItemType Directory
Daniel said that there are even more ways to create mock folders but CMD and Powershell are easy to use.

Hijack DLL Files by using Mock Directories

During the last weeks Daniel Gebert came across a nice article about dll hijacking using legitimate Windows executables by Wietze Beukema. He found that 300 Windows 10 executables were vulnerable to DLL hijacking that allows attackers to bypass the UAC security feature.

Wietze Beukema listed all Windows 10 executables which are candidates for dll hijacking. He also listed the dll files and entry points of those files. For example for "winsat.exe" he discovered that it could be used to bypass UAC by loading one of seven different .dll files as shown in the image below.

A new approach for Bypassing Windows 10 UAC with mock folders and DLL hijacking
Source: Daniel Gebert's IT blog

Daniel said in their blog post that he cannot able to re-write dll files but he found some templates that can be used at GitHub. However these templates are only a few files. And many of the files Wietze used are not available as a template. In the past he used the template for "version.dll" and just renamed it to hijack another .dll file. So he decided to follow Wietze´s approach to add some modifications due to their limited access to dll files.

Attacking Approach

Daniel said in their blog post that he started with a simple google search about auto elevated executables in "C:\Windows\System32". Unfortunately he couldn´t find a complete list. So he did what Wietze did and copied all 616 executables (*.exe in system32) into the mock directory "C:\Windows \System32". Then he modified the existing template of "version.dll" (GitHub) to spawn a cmd shell as shown below.

A new approach for Bypassing Windows 10 UAC with mock folders and DLL hijacking
Source: Daniel Gebert's IT blog

After compiling version.dll he copied it into the mock folder "C:\Windows \System32". Now he had over 600 EXEs and only .dll file. Executing every file and hoping that it would maybe load "version.dll" doesn´t seem a clever approach to him but he decided to try it anyway. To see which .dll files are loaded by an executable he used Process Monitor from the Microsoft sysinternal suite. After executing some files he noticed that file "profapi.dll" is loaded by some executables (in his case "ComputerDefaults.exe"). By just renaming "version.dll" to "profapi.dll" he was able to get a administrative Command prompt shell.

A new approach for Bypassing Windows 10 UAC with mock folders and DLL hijacking
Source: Daniel Gebert's IT blog

Below is a proof of concept video shared by Daniel to bypass Windows 10 UAC.

Proof of Concept Video

Mitigation

Daniel Gebert advised users to setting UAC to the highest level (Always Notify) to prevent UAC bypass attacks. Doing so will always show the user UAC prompts before high-risk applications are executed.

Does this article being helpful to you? Let us know your thoughts in the comments section and share it with us on Facebook, Twitter, or our LinkedIn Group.

0/Comments

Previous Post Next Post