A third exploit, with video.
Today I finished writing a proof-of-concept application that demonstrates a third flaw of the Windows 7 UAC design.
I don't know whether this is fixed in the reported changes that will go into the final build as they haven't been released for people to inspect. I feel they really should be another beta at least, else these problems could wind up left in the retail release.
The flaw I demonstrate allows:
- Any *unelevated* process
- On an x64 or x86 Windows 7 with default settings
- To create and use elevated COM objects without any UAC prompts
- Using code injection into *any* process that is flagged for silent elevation.
If it needed to it could scan the running processes and pick a random one that had the appropriate elevation manifest but at the moment it just targets Explorer.exe.
It demonstrates what I was trying to prove which is that fixing the problem in, or removing the silent elevation flag from, individual programs such as RunDll32.exe may make attacks a little bit harder but does not fix the problem.
Here is a video (with a mirror site donated by a friend as the first one seemed slow):
http://nudel.kelbv.com/W7Elevate/W7Elevate.htm
http://leo.lss.com.au/W7Elevate/W7Elevate.htm
I'm in the process of writing up what it does. The write-up will appear here once I've finished it:
http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
(If the URL doesn't work then I'm still typing away. :))
Before anyone says that "it just copies a file, so what?!", note that it's copying to Program Files, a protected area, and I could trivially make it do other things. The demo is just to prove that the unelevated process is doing things it shouldn't be able to do. My intention isn't to produce a proof-of-concept program that actually does some damage; just to prove that there's a problem here that could be exploited by someone malicious.
Besides, if you can rename, delete and replace files in System32 and Program Files then you can easily take full control of a machine.