Thursday, March 01, 2007 

Windows UAC Privelege Escalation

There has recently been a lot of discussion about Microsoft's User Access Control (UAC).

In Windows Vista, all programs run with lower privileges by default, even when ran by an administrator. The idea is that if you want to run a program as an administrator, Vista will prompt the user and ask them if they really want to allow it to run with higher privileges.

Some recent Blog's have pointed out some implementation flaws with this. See:

http://www.symantec.com/enterprise/security_response/weblog/2007/02/an_example_of_why_uac_prompts.html

The gist of it is that in order to help the user make an informed decision, Vista will display a different color on the UAC dialog box. Blue is supposed to mean that the application is signed by Microsoft. A sort of yellow-orange color means that the application is completely untrusted.
As it turns out, if you can get a user to run your executable (which hopefully isn't all that trivial in the first place) you can make the dialog box indicate that the application is digitially signed by Microsoft, but still run arbitrary code. The approach that the people above pointed out was to use a program called RunLegacyCPLElevated, which is designed to run legacy control panels with administrator privileges. To make this work, you have to compile a DLL as a control Panel.

That's not all that difficult, but why bother. It's just as easy to create a shortcut to command.exe. Then go into the properties and add

"\K echo Hello %username%"

or whatever arbitrary thing you want to do there. Then click on the advanced button and select "Run as administrator". Now, if you double click on that shortcut, it will ask the user if they want to run the "Windows Command Processor" with elevated privileges or not. The dialog will indicate that it is digitally signed by Microsoft, and will be a happy blue color indicating that all is well with the world. But, if the user allows it to run, it will run arbitrary commands with administrative privileges.

Is the sky really falling?

No. Not really. In Windows XP, if the user were running as an administrator, and he/she double-clicked a program that I gave them, then the game was pretty much over right there. If they were a regular user, then my program would be somewhat limited as to what it could do. I might be able to fool the user to use runas to run my program as administrator, but if I did, they wouldn't have any particular indication as to whether or not it was good or bad.

In Windows Vista, if you are running as a regular unprivileged user, you would have to enter the username and password of a privileged user in order to run something with escalated privileges. However, by default, Windows Vista prompts you to create a single user when you install it, and puts that user into the administrator's group. So, for the average home user, they would have to accept the UAC prompt, but they would not have to enter a password.

In conclusion, it is possible for an application in Windows Vista to make the user think it is safer than it actually is. If a user can be tricked into running something, they should pay attention to what it is that they are running and not just relay on the color of the UAC dialog box. In short, Vista is more secure than XP, but the additional security features in this case, are a heuristic, and not a foolproof prevention for user stupidity...