New Windows zero-day flaw bypasses UAC

Filed Under: Video, Vulnerability, Windows

A new zero-day exploit in Microsoft Windows was disclosed today. The exploit allows an application to elevate privilege to "system," and in Vista and Windows 7 also bypass User Account Control (UAC). The flaw was posted briefly on a programming education site and has since been removed.

Proof of concept for elevation of privilege exploit
The exploit takes advantage of a bug in win32k.sys, which is part of the Windows kernel. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users.

The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems. On its own, this bug does not allow remote code execution (RCE), but does enable non-administrator accounts to execute code as if they were an administrator.

There is one mitigation I discovered while researching this exploit. Unfortunately it is somewhat complicated. To prevent the flaw from being exploited you can perform the following actions:

  1. As an Administrator open Regedit and browse to HKEY_USERS\[SID of each user account]\EUDC
  2. Right-click EUDC and choose permissions
  3. Choose the user whose account you are modifying and select Advanced
  4. Select Add and then type in the user's name and click OK
  5. Click the Deny checkbox for Delete and Create Subkey
  6. Click all the OKs and Apply buttons to exit

Registry permissions for mitigation

The registry keys being changed by this mitigation should not impact a user's ability to use the system, but changing permissions related to Windows code page settings may cause problems with multilingual installations. In my testing it appears problem-free, but I have only had an hour or two to test. Use at your discretion.

The good news? For this to be exploited, malicious code that uses the exploit needs to be introduced. This means your email, web, and anti-virus filters can prevent malicious payloads from being downloaded. Keep an eye on the Naked Security blog for more information as we learn more about this flaw.

Update: Sophos detects the proof of concept as Troj/EUDPoC-A. Stay tuned for further details as they become available.

I've also created this video showing how it works and what you can do.

Update: Microsoft fixed this vulnerability in bulletin MS11-011 in February of 2011.

, , , , ,

You might like

26 Responses to New Windows zero-day flaw bypasses UAC

  1. Dick · 1430 days ago

    exploit-db.com still has the source code. Get it while it's hot.

  2. Dick · 1430 days ago

    Added note, that 0-day exploit in Internet Explorer is looking increasingly useful. Would it be possible use that exploit (CVE: 2010-3962) in correspondence with this one? If so, god have mercy.

    • Chester Wisniewski · 1430 days ago

      Unfortunately yes. The fact that the code is still available isn't necessarily a good thing, although once the cat is out of the bag you simply aren't likely to have a very happy cat.

      Chester

  3. Patrick Brett · 1430 days ago

    Great vid but how do I lock down the kernal exploit in Windows XP, I looked at the registry and I don't have any user EUDC folders?

    • antivir2010 · 1429 days ago

      There is no UAC in Windows XP

      • Chester Wisniewski · 1429 days ago

        The bug is in the Windows kernel, not UAC. The way the flaw works bypasses UAC so a user is not alerted to the fact that a non-privileged application is now running as system.

    • Chester Wisniewski · 1429 days ago

      I am still investigating the flaw. I do not believe it entirely relies on these registry keys, but the proof of concept does. As more information becomes available I will likely post a follow-up blog entry with more details. Kernel bugs are sometimes tricky to work out all the ways they can be exploited and defended against.

  4. Richard · 1429 days ago

    Has there been any response from Microsoft yet? I've just checked the MSRC and SRD blogs, and there's nothing there. The list of security advisories [1] was last updated on the 9th.

    Maybe all the security people are based in the US and have gone home for Thanksgiving?

    [1] http://www.microsoft.com/technet/security/advisor...

    • Chester Wisniewski · 1429 days ago

      Oddly they have only posted to Twitter. You can look them up as @MSFTSecResponse

  5. Isn't blocking all writing to the registry for a user going to mean that there are lots of programs they can't run? Isn't the defence itself going to cause all kinds of headaches? If not that it looks easy to fix, but it doesn't **feel** like it can be that simple - there are surely plenty of things that programs have legitimate need to write (and later modify/delete) registry keys for?

    • Chester Wisniewski · 1429 days ago

      The steps in the blog only prevent certain keys related to keyboard languages from being deleted and created by a user. It does not impact parts of the registry required for Windows to work properly.

  6. janice · 1429 days ago

    I'm not a technical person in regards to my laptop. Though I avidely read everything you post. What can l do to protect my laptop?

    • Chester Wisniewski · 1429 days ago

      Not much at this point. We are waiting to see what Microsoft recommends once they have had a chance to look at the flaw.

  7. hippie · 1429 days ago

    Uninstall Windows and install Linux.

  8. HackerDude · 1428 days ago

    Some people have loud mouths. Exploits like these should be kept private in VIP areas on forums. Stupid script kiddies talking to loud.

    The UAC was never really a problem because binding a RAT to legit piece of software and ensuring it's FUD will fool 99% of people into allowing it to run.

    Sophos, you're 10 steps behind us hackers. All of my latest exe's are undetectable by Sophos and other AV's.

    We will always win :D

    • LTC Lady NH · 1425 days ago

      I don't understand why you do it in the first place. No life?

      • Sizzle · 1401 days ago

        Hackerdude, you're not the first person to create malicious scripts and yours probably aren't as "uber" as you self-proclaim them to be. Do something positive with your average skills mate and hop off the pedestal as it's probably kinda lonely up in your frustrated world.

  9. macattack · 1425 days ago

    Is there anyway to trace the hackers on this thread via ip address or some other means. Would be nice if you folks were to report them to proper authorities if at all possible.

  10. Traveller · 1424 days ago

    where's Microsoft's webpage on this?

  11. Starr · 1424 days ago

    our computer shows the following after we found out it wasn't booting up " Load needed dll for kernel " when we try to use the window xp disk it says need administers password and their is none. Plus got to a point that is state now can not load file bootvid.dll , Could this be the virus your are talking about and can you help me to fix it. I can't get it to boot up pass the screen

    • Chester Wisniewski · 1423 days ago

      Unfortunately it is not likely the cause of your trouble. You should likely contact a specialist to help you repair or clean your installation.

  12. Brazilian user · 1421 days ago

    The last windows update for XP solved the problem in these last days, but the files to fix the problem were enough for only 24 hours. The virus, worm or malware already is up to date and the problem returned. We are out of the city now. To format is the only option to solve, but we can't copy our backup files to computer, for the virus stays in the files and return. Is possible be the US government using our computers to knock down the wikileaks?

  13. Will this be patch in the latest Windows Update?

  14. Sizzle · 1402 days ago

    Ha ha.... Hackerdude is so awesome. She's so above everyone. I want to be him / her / it. Will you be my hero?
    Tell me, did Mummy not buy you the BMX you wanted for your 10th birthday and you've never got over it? Do something positive with your self proclaimed "uber" scripting skills and get a counsellor, it will help with your inferiority complex.

  15. GotMalware · 1388 days ago

    Yippee for Hackerdude...

    He graduated from 53-63-72-69-70-74-20-4b-69-64-64-69-65 to 55-62-65-72-20-53-63-72-69-70-74-20-4b-69-64-64-69-65

    Perhaps he'll decode this in the same amount of time it takes him to figure out what ID10T means.

  16. Michelasso · 1249 days ago

    What I do not understand is why MS is taking so long to use an Unix approach.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.