Windows 7 UAC Vulnerable – User Mode Program Can Disable User Access Control

It seems like Windows 7 is already creating some controversy even though it’s still in BETA. Just like Vista it also has UAC (User Access Control) which a lot of people disable completely because they find it irritating (myself included).

When that happens, the boundary between security and usability has crossed too far and the control becomes useless because people just remove it.

Thankfully in Windows 7 they have made it more configurable with 4 levels to choose from which offer various levels of protection vs usability (level 4 is the same as Vista and it comes default at level 3).

The controversy is with a VBScript run in user-mode the UAC can be disabled (set to level 1) without any kind of prompt happening.

A controversy erupted last week with the revelation by a researcher that it is possible for a user-mode program in Windows 7 to disable User Access Control in the default configuration. My first reaction to this was that it was bad, but it’s a beta and it will be fixed. Now I’m getting the vibe from Microsoft that it won’t be fixed and I can see their argument. It still leaves me uncomfortable though.

For those of you unfamiliar with the specific problem, in Windows 7 the default behavior of UAC was changed so that the user is not prompted for access to Windows programs, such as control panel applets, as they are in Vista. UAC also no longer uses the “secure desktop” mode for confirmation by default.

And a new control panel is provided to let the user choose the behavior of UAC in Windows 7. There is a slider control with 4 levels: level 4 is the same as Vista, with all the same prompting for system-level changes and secure desktop; level 3, the default, is the same as level 4, but doesn’t prompt for changes in Windows settings, like the control panel; level 2 is the same as level 3, but does not use the secure desktop; and level 1 shuts off UAC; no prompting at all. The secure desktop is a special mode in which you can only interact with the UAC prompt, and no other software.

It’s not really a vulnerability in the traditional sense of the word as it’s a design choice by Microsoft and only occurs under a certain set of circumstances. For example the user must be running as Administrator for a program to be able to disable UAC without prompting.

So if the machine is set up properly and day to day usage is logged in under a non-privileged account this won’t be an issue anyhow. The problem I see is, how often does that really happen?

Everyone just uses the Administrator account, so this could be a real problem.

The proof of concept showed a user-mode program which spoofed keystrokes and mouse movements to change the setting from the default down to level 1.

What bothered me was that this was user-mode code. It seemed to me that it sort-of violated at least the spirit of UAC by indirectly elevating privilege through an external program, which level 3 is supposed to prompt. The author of the attack proposed what seemed a sensible solution: force a prompt, one that requires secure desktop, for that one case. The heart of the argument for making this a special case is that users would expect from level 3 that it would protect them from elevation changes from external programs.

There was a lot of hyperbole about this issue. There are many legitimate arguments that this isn’t so bad a problem, and in fact not surprising at all. Some of them are made in Roger’s Security Blog, who closes with the point that a lot of the criticism is hypocritical, amounting to calls for more rigid prompting from people who complained about it in Vista..

The more I’ve thought about it, the more I think Microsoft is right not to make a change here. Here are the major arguments for this position.

The fact still remains, for this to be an issue – the user has to run a piece of untrusted code (even if it’s ‘just’ a VBScript) and once that has happened you can assume the machine is compromised anyway.

I’d imagine the script to carry out the actions will soon enough be flagged by Anti-virus software rendering it a little less of a threat.

Either way I’ll be paying close attention to the insecurity security of Windows 7 – I hope you will too.

Source: eWeek

Posted in: Exploits/Vulnerabilities, Windows Hacking

, , , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

9 Responses to Windows 7 UAC Vulnerable – User Mode Program Can Disable User Access Control

  1. cbrp1r8 February 5, 2009 at 3:06 pm #

    I’ll stick w/ Linux. :D

  2. Morgan Storey February 6, 2009 at 2:56 am #

    @Darknet: Your comments section is broke. I wrote a really long reply but it came up with a javascript error/possible spammer, as it does occasionally. Let me know when it is fixed and I will contribute then :(

    Sorry, there was an error. Please enable JavaScript and Cookies in your browser and try again.


    * JavaScript is enabled.
    * PHP detects that cookies appear to be enabled.

    This message was generated by WP-SpamFree.

    If you feel you have received this message in error (for example if both statuses above indicate that JavaScript and Cookies are in fact enabled and you have tried to post several times), please alert the author of this blog, and let them know they need to view the Technical Support information.

  3. Darknet February 6, 2009 at 8:09 am #

    It’s not broke and it’s either this or a captcha. Just copy your comment to the clipboard before you submit like most normal people do :)

  4. Morgan Storey February 6, 2009 at 11:52 am #

    I usually do put it on the clipboard, then sometimes even into a document, I once had about 7 posts sitting in my Darknet document. This is not how many other sites work.
    A captcha would be better, or logins, most people hit submit and simply expect it to actually submit what they have typed not have to backup their post.

  5. navin February 6, 2009 at 12:37 pm #

    ++1 :)
    Darknet must’ve gotten used to our “Akismet is broke” or “The Woprdpress antispam plugin is broke” comments!! ;)

  6. Bogwitch February 6, 2009 at 7:27 pm #

    Oh, for Pete’s sake, not logins. Captch’s are not that much nicer, imo. Darknet, if you’re going to use captcha, at least use re-captcha so I feel as though I’m doing something useful.

    @Morgan, it is a pain, but ^a^c is not too hard a price to pay to keep the spam out of here, is it? It seems to be working….

  7. Morgan Storey February 6, 2009 at 11:53 pm #

    @Bogwitch: it isn’t that hard but as I don’t have to do it anywhere else I post I forget to do it here, eventually that lapse costs me.
    I agree captcha’s would be nicer and recaptcha is easy and giving something back, and iirc it is free.
    Maybe if the page where so full of javascript we could successfully press back and re-submit our comments but we can’t

    For a site that enjoys user comments I would be of the opinion that any that are lost could be disastrous as it could cause a new user to simply not visit the site anymore.

  8. Darknet February 7, 2009 at 7:35 am #

    Ok I’ll turn off WP-Spamfree for the moment, if it makes too much work for me though I’ll put reCaptcha in.

  9. Bogwitch February 14, 2009 at 11:54 am #

    Darknet, please turn it back on!!!!