New Windows zero-day flaw bypasses UAC


A new zero-day exploit in Microsoft Windows was disclosed today. The exploit allows an application to elevate privilege to “system,” and in Vista and Windows 7 also bypass User Account Control (UAC). The flaw was posted briefly on a programming education site and has since been removed.

Proof of concept for elevation of privilege exploit
The exploit takes advantage of a bug in win32k.sys, which is part of the Windows kernel. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users.

The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems. On its own, this bug does not allow remote code execution (RCE), but does enable non-administrator accounts to execute code as if they were an administrator.

There is one mitigation I discovered while researching this exploit. Unfortunately it is somewhat complicated. To prevent the flaw from being exploited you can perform the following actions:

  1. As an Administrator open Regedit and browse to HKEY_USERS\[SID of each user account]\EUDC
  2. Right-click EUDC and choose permissions
  3. Choose the user whose account you are modifying and select Advanced
  4. Select Add and then type in the user’s name and click OK
  5. Click the Deny checkbox for Delete and Create Subkey
  6. Click all the OKs and Apply buttons to exit

Registry permissions for mitigation

The registry keys being changed by this mitigation should not impact a user’s ability to use the system, but changing permissions related to Windows code page settings may cause problems with multilingual installations. In my testing it appears problem-free, but I have only had an hour or two to test. Use at your discretion.

The good news? For this to be exploited, malicious code that uses the exploit needs to be introduced. This means your email, web, and anti-virus filters can prevent malicious payloads from being downloaded. Keep an eye on the Naked Security blog for more information as we learn more about this flaw.

Update: Sophos detects the proof of concept as Troj/EUDPoC-A. Stay tuned for further details as they become available.

I’ve also created this video showing how it works and what you can do.

Update: Microsoft fixed this vulnerability in bulletin MS11-011 in February of 2011.