The researcher detailed a bypass technique that is quite differed to the previous ones he devices, the new method “doesn’t rely on the IFileOperation/DLL hijacking approach”.
“I’ve previously blogged about two different bypass techniques, and this post will highlight an alternative method that also doesn’t rely on the IFileOperation/DLL hijacking approach.” reads a blog post published by Nelson. “This technique works on Windows 10 build 15031, where the vast majority of public bypasses have been patched.”
The expert explained that there are several signed binaries in Microsoft OS that auto-elevate due to their manifest. Nelson analyzed them and focused its investigation on sdclt.exe, which is the process associated with the Backup and Restore tool in Windows.
He discovered that sdclt.exe auto-elevates due to its manifest only in Windows 10.
The sdclt.exe starts control.exe to open up a Control Panel item in high-integrity context, the process obtains the path to control.exe by querying the App Path key for it within the HKEY_CURRENT_USER hive.
“Looking again at the execution flow, sdclt.exe queries the App Path key for control.exe within the HKEY_CURRENT_USER hive.” explained Nelson.
“Calls to HKEY_CURRENT_USER (or HKCU) from a high integrity process are particularly interesting. This often means that an elevated process is interacting with a registry location that a medium integrity process can tamper with,”
An attacker can modify the key that is retrieved by the sdclt.exe query, the expert managed to have cmd.exe returned to the query.
The method doesn’t allow for using parameters, in order to exploit it the attacker has to place the malicious payload to the disk.
“If you try to give the binary any parameters (e.g, C:\Windows\System32\cmd.exe /c calc.exe), it will interpret the entire string as the lpFile value to the ShellExecuteInfo structure, which is then passed over to ShellExecuteEx. Since that value doesn’t exist, it will not execute.” continues Nelson.
The expert published a PoC script to demonstrate the method, he explained that attack can be prevented by setting the UAC level to “Always Notify” or by removing the current user from the Local Administrators group.
(Security Affairs – User Account Control, hacking)