A new Windows User Access Control (UAC) bypass technique has been reported by the security researcher Matt Nelson. The method is known as the “Fileless” as it does not require the copying of a file to the file system in comparison with other techniques. The bypass uses the Windows registry entries to execute a privilege escalation.
The New UAC Bypass
Matt Nelson has been working on Windows vulnerability research before. His latest findings have lead to information on a new security bypass of the Windows User Access Control security feature. He reports that the new method is different than the known public UAC bypass techniques. Most of them require a privileged file copy using WUSA extraction in Windows 7 or the use of IFileOperation COM object. These two operations manipulate DLL files in the protected system location. The new bypass is expected to work on all versions of Windows that employ the UAC security feature.
The vulnerability allows the local user to execute code without going through the UAC pop-up window. This means that remote execution would not be possible if the malicious users don’t have control over the systems.
The security vulnerability has been detected when eventvwr,exe executes registry entries against the HKEY_CURRENT_USER (HKCU) hive as high-integrity processes. The bypass is possible when this registry hive is being merged with HKEY_LOCAL_MACHINE (HKLM) under the HKEY_CLASSES_ROOT (HKCR). This means that anyone can create a simple script to query HKCU instead of the HKCR class. Code execution can trigger any malicious PowerShell script or command with elevated privileges and without the UAC pop-up notification that asks for explicit access.
The security implications can be severe as these types of vulnerabilities do not require the use of file operations. Most anti-virus software suites over heuristic scans which detect unusual behavior and may prevent such UAC issues. However the “Fileless” bypass is very hard to detect by such countermeasures.
How to Protect Yourself from the New UAC Vulnerability
The researchers offers a few easy fixes that can prevent the bypass from executing arbitrary code. Administrators can change the settings of the UAC security level to “Always Notify” to modify the system’s behavior. The current working user can also be removed from the Local Administrators Group. This step prevents the registry entries from executing the command with escalated privileges. System administrators can develop tools and monitor signatures in the HKCU\Software\Classes hive.
Nelson has privately disclosed the bug to Microsoft. However, the company has responded that the vulnerability is not severe enough for an explicit security bulletin and an immediate fix. You can read the public blog post with detailed information on his website.