A decision can only be as good as the information that informs it, and the value of that information no better than the decision maker’s ability to comprehend it. Such is the case with Microsoft’s User Account Control, that notorious security feature introduced in Windows Vista. The contemptibly familiar prompt is immediately recognizable to many users:

But what’s under “Show details”? Why, the devil of course.

Introduction Cylance® SPEAR Team™ Takes On ShameOnUAC

Copyright 2015 Page 1

SPEAR TEAM REPORT:Trick Us Once,ShameOnUAC

The Cylance SPEAR Team investigates present and future threats of all shapes and sizes. We’d been curious about the potential for subverting programs during elevation, so when we formed the SPEAR Team, it seemed like as good a time as any to start prototyping. The command lines supplied to elevated programs seemed an obvious place to start.

Introducing ShameOnUAC. Much like actual malware, ShameOnUAC starts by injecting itself into the unprivileged Explorer process; once there, it hooks SHELL32!AicLaunchAdminProcess and waits for the user to ask to run a program as administrator, then tampers with the elevation requests before they’re sent to the AppInfo service. This is a downside of having an unprivileged process submit elevation requests for you.

ShameOnUAC

Copyright 2015 Page 2

Here’s how UAC works normally:

And here is how it works with ShameOnUAC:

+1 (877) 973-3336 sales@cylance.comwww.cylance.com18201 Von Karman, Ste. 700, Irvine, CA 92612

Technical Details

ShameOnUAC’s AicLaunchAdminProcess hook currently targets requests to elevate cmd.exe andregedit.exe, though more targets are surely possible. It only replaces the command line, since pointing the request to a different application would visibly alter the prompt and tip off the user. For cmd.exe,ShameOnUAC appends a “/C” argument so that, upon clicking Yes, the user gets the expected administrator command prompt, but ShameOnUAC gets to run a command of its choosing first. At that point, it has attained administrator privileges.

The regedit.exe case is more interesting because getting from command line to compromise is less direct. Regedit’s supported arguments naturally involve the registry, so ShameOnUAC causes regedit to silently install a .reg file via a “/S” argument. If that were the extent of it, the user would never get their expected regedit window and might wonder what happened. ShameOnUAC’s solution is to cause the .reg file to register a library in AppInit_DLLs and then issue a second elevation request. That request produces a new consent.exe process, which loads the ShameOnUAC library before displaying anything to the user, and the library in turn tweaks the parameters consent.exe receives from the AppInfo service to suppress the consent prompt. In sum, the user gets the expected regedit window—after ShameOnUAC gets SYSTEM privileges.

Be Informed

Essentially, ShameOnUAC demonstrates an opportunistic privilege elevation from medium to high integrity when UAC is in use. Admittedly the technique has little to offer attackers beyond all the privilege elevation exploits already at their disposal. It’s important to point out, though, that UAC is working here as designed. What’s creepy is that ShameOnUAC is so easily detectible, if only users would select “Show details”.

Now that we’ve played with ShameOnUAC, we always click the “Show details” button, because the next time we don’t, it could be shame on us.

Cylance is the first company to apply artificial intelligence, algorithmic science and machine learning to cybersecurity and improve the way companies, governments and end-users proactively solve the world’s most difficult security problems. Using a breakthrough predictive analysis process, Cylance quickly and accurately identifies what is safe and what is a threat, not just what is in a blacklist or whitelist. By coupling sophisticated machine learning and artificial intelligence with a unique understanding of a hacker’s mentality, Cylance provides the technology and services to be truly predictive and preventive against advanced threats. For more information, visit cylance.com

About Cylance: