Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
around UAC
Abusing Access Tokens for UAC Bypasses
Application
UAC Architecture
AppInfo Service
Limited User Logon Session Elevated User Logon Session
Authentication-ID = A-B RPC Authentication-ID = X-Y
Application
ShellExecute “runas”
UAC Architecture
AppInfo Service
Limited User Logon Session Elevated User Logon Session
Authentication-ID = A-B RPC Authentication-ID = X-Y
Application
ShellExecute “runas”
consent.exe
UAC Architecture
AppInfo Service
Limited User Logon Session Elevated User Logon Session
Authentication-ID = A-B RPC Authentication-ID = X-Y
Application
ShellExecute “runas”
Application
Linked Tokens
Linked Tokens
Deny-Only Groups
Link
Also Fewer Privileges
Link
The Problem with UAC
User Profile
Non-Admin Directory Admin
Application Application
Desktop and
Kernel Objects
The Problem with UAC
User Profile
Non-Admin Directory Admin
Application Application
Desktop and
Kernel Objects
Kernel Object Login Sid
Non-Admin Token
Groups
Win32k
rd
oab
C lip Captured
to
Token
ite
Wr
Win32k
Nt
Us
erG
etC
Captured
lip
bo
Token
ard
To
ke
n
UAC Admin Non-Admin
Process Process
NtUserGetClipboardToken
Kernel
Win32k
Captured
Token
Op
en
edf
or
rea
d
UAC Admin Non-Admin
Process Process
Clipboard Token
Read-only access
Creating a New Process
Parent Token Sibling Token
Process
Token
Restrict to
ALLOWED Identification
Level
Impersonating a Token
Token Level Process has Process IL Process User
== Impersonate >= ==
Identification Privilege Token IL Token User
Restrict to
ALLOWED Identification
Level
Impersonating a Token
Token Level Process has Process IL Process User
== Impersonate >= ==
Identification Privilege Token IL Token User
Restrict to
ALLOWED Identification
Level
Impersonating a Token
Token Level Process has Process IL Process User
== Impersonate < ==
Identification Privilege Token IL Token User
Restrict to
ALLOWED Identification
Level
Reduce the Integrity Level
Reduce the Integrity Level
Impersonating a Token
Token Level Process has Process IL Process User
== Impersonate >= ==
Identification Privilege Token IL Token User
Restrict to
ALLOWED Identification
Level
High IL != Administrator
Standard
auto-elevation of
specific MS binaries.
Scheduled Tasks
Elevation Check
Restrict to
ALLOWED Identification
Level
Elevation Checks
if (SeTokenIsElevated(ImpersonationToken)) {
if (!SeTokenIsElevated(ProcessToken) ||
ProcessToken->LogonSession->Flags.UacSession) {
return STATUS_PRIVILEGE_NOT_HELD;
}
}
// Continue with impersonation check.
What Makes a Token
Elevated?
● Has “God” privileges or certain elevated groups
Application
Impersonate Non-Admin
Token
Non-Admin
Application
Impersonate Admin Token
DEMO
LogonUser New Credentials
LSASS
Limited User Logon Session Elevated User Logon Session
LogonUser
Authentication-ID = A-B Authentication-ID = X-Y
Application
// Clone token with new credentials.
Impersonate LogonUser("Badger",
Non-Elevated Token "Badger",
"Badger",
LOGON32_LOGON_NEW_CREDENTIALS,
&Token);
Admin Token
Elevated Token
Abuse Secondary Logon
ImpersonateLoggedOnUser(hNonElevatedToken);
CreateProcessWithLogonW(
"Badger", "Badger", "Badger",
Equivalent to
LOGON_NETCREDENTIALS_ONLY LOGON32_LOGON_NEW_CREDENTIALS
Normal User Logon Session Normal User Admin User Elevated User Logon Session
Authentication-ID = A-B Registry Hive Registry Hive Authentication-ID = X-Y
Restrict to
ALLOWED Identification
Level
Impersonating an OTS Token
Token Level Process has Process IL Capability Check
== Impersonate >=
Identification Privilege Token IL
Process User
==
Token User
Restrict to
ALLOWED Identification
Level
Capability Check
BOOLEAN SepIsImpersonationAllowedDueToCapability(PTOKEN token, PTOKEN imp_token) {
if ((token->SessionId != imp_token->SessionId) ||
(token->TokenFlags & TOKEN_FLAGS_LOWBOX) == 0) || Tokens must be in
(imp_token->TokenFlags & TOKEN_FLAGS_LOWBOX) == 0)) { same Session and
return FALSE; both be LowBox.
}
if (!SepSidInTokenSidHash(&token->CapabilitiesHash,
SeConstrainedImpersonationCapabilitySid) ||
!SepCheckCapabilities(token, imp_token->Capabilities) || Process token must have
!RtlEqualSid(token->Package, imp_token->Package)) { impersonation capability,
return FALSE; and be in same package.
}
return TRUE;
}
Enterprise Authentication
DEMO
Is Anything Safe?
Hit CTRL+ALT+DEL
and click
Conclusions
● Admin-Approval UAC is broken
● Over-the-sholder UAC is pretty broken on Windows 10
● Best chance you have is fast-user switching
○ Don’t switch using Explorer, always use the secure attention sequence
Thanks
Any Questions?