Windows 7 UAC Vulnerable – User Mode Program Can Disable User Access Control

Use Netsparker

It seems like Windows 7 is already creating some controversy even though it’s still in BETA. Just like Vista it also has UAC (User Access Control) which a lot of people disable completely because they find it irritating (myself included).

When that happens, the boundary between security and usability has crossed too far and the control becomes useless because people just remove it.

Thankfully in Windows 7 they have made it more configurable with 4 levels to choose from which offer various levels of protection vs usability (level 4 is the same as Vista and it comes default at level 3).

The controversy is with a VBScript run in user-mode the UAC can be disabled (set to level 1) without any kind of prompt happening.

A controversy erupted last week with the revelation by a researcher that it is possible for a user-mode program in Windows 7 to disable User Access Control in the default configuration. My first reaction to this was that it was bad, but it’s a beta and it will be fixed. Now I’m getting the vibe from Microsoft that it won’t be fixed and I can see their argument. It still leaves me uncomfortable though.

For those of you unfamiliar with the specific problem, in Windows 7 the default behavior of UAC was changed so that the user is not prompted for access to Windows programs, such as control panel applets, as they are in Vista. UAC also no longer uses the “secure desktop” mode for confirmation by default.

And a new control panel is provided to let the user choose the behavior of UAC in Windows 7. There is a slider control with 4 levels: level 4 is the same as Vista, with all the same prompting for system-level changes and secure desktop; level 3, the default, is the same as level 4, but doesn’t prompt for changes in Windows settings, like the control panel; level 2 is the same as level 3, but does not use the secure desktop; and level 1 shuts off UAC; no prompting at all. The secure desktop is a special mode in which you can only interact with the UAC prompt, and no other software.

It’s not really a vulnerability in the traditional sense of the word as it’s a design choice by Microsoft and only occurs under a certain set of circumstances. For example the user must be running as Administrator for a program to be able to disable UAC without prompting.

So if the machine is set up properly and day to day usage is logged in under a non-privileged account this won’t be an issue anyhow. The problem I see is, how often does that really happen?

Everyone just uses the Administrator account, so this could be a real problem.

The proof of concept showed a user-mode program which spoofed keystrokes and mouse movements to change the setting from the default down to level 1.

What bothered me was that this was user-mode code. It seemed to me that it sort-of violated at least the spirit of UAC by indirectly elevating privilege through an external program, which level 3 is supposed to prompt. The author of the attack proposed what seemed a sensible solution: force a prompt, one that requires secure desktop, for that one case. The heart of the argument for making this a special case is that users would expect from level 3 that it would protect them from elevation changes from external programs.

There was a lot of hyperbole about this issue. There are many legitimate arguments that this isn’t so bad a problem, and in fact not surprising at all. Some of them are made in Roger’s Security Blog, who closes with the point that a lot of the criticism is hypocritical, amounting to calls for more rigid prompting from people who complained about it in Vista..

The more I’ve thought about it, the more I think Microsoft is right not to make a change here. Here are the major arguments for this position.

The fact still remains, for this to be an issue – the user has to run a piece of untrusted code (even if it’s ‘just’ a VBScript) and once that has happened you can assume the machine is compromised anyway.

I’d imagine the script to carry out the actions will soon enough be flagged by Anti-virus software rendering it a little less of a threat.

Either way I’ll be paying close attention to the insecurity security of Windows 7 – I hope you will too.

Source: eWeek

Posted in: Exploits/Vulnerabilities, Windows Hacking

, , , ,

Latest Posts:

SCADA Hacking - Industrial Systems Woefully Insecure SCADA Hacking – Industrial Systems Woefully Insecure
airgeddon - Wireless Security Auditing Script airgeddon – Wireless Security Auditing Script
Airgeddon is a Bash powered multi-use Wireless Security Auditing Script for Linux systems with an extremely extensive feature list.
Acunetix v12 - Pause & Resume Acunetix v12 – More Comprehensive More Accurate & 2x Faster
Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix v12 - more comprehensive, accurate & 2x faster.
CloudFrunt - Identify Misconfigured CloudFront Domains CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions.
Airbash - Fully Automated WPA PSK Handshake Capture Script Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing, it is compatible with Bash and Android Shell.
XXEinjector - Automatic XXE Injection Tool For Exploitation XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is an XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications.

9 Responses to Windows 7 UAC Vulnerable – User Mode Program Can Disable User Access Control

  1. cbrp1r8 February 5, 2009 at 3:06 pm #

    I’ll stick w/ Linux. :D

  2. Morgan Storey February 6, 2009 at 2:56 am #

    @Darknet: Your comments section is broke. I wrote a really long reply but it came up with a javascript error/possible spammer, as it does occasionally. Let me know when it is fixed and I will contribute then :(

    Sorry, there was an error. Please enable JavaScript and Cookies in your browser and try again.


    * JavaScript is enabled.
    * PHP detects that cookies appear to be enabled.

    This message was generated by WP-SpamFree.

    If you feel you have received this message in error (for example if both statuses above indicate that JavaScript and Cookies are in fact enabled and you have tried to post several times), please alert the author of this blog, and let them know they need to view the Technical Support information.

  3. Darknet February 6, 2009 at 8:09 am #

    It’s not broke and it’s either this or a captcha. Just copy your comment to the clipboard before you submit like most normal people do :)

  4. Morgan Storey February 6, 2009 at 11:52 am #

    I usually do put it on the clipboard, then sometimes even into a document, I once had about 7 posts sitting in my Darknet document. This is not how many other sites work.
    A captcha would be better, or logins, most people hit submit and simply expect it to actually submit what they have typed not have to backup their post.

  5. navin February 6, 2009 at 12:37 pm #

    ++1 :)
    Darknet must’ve gotten used to our “Akismet is broke” or “The Woprdpress antispam plugin is broke” comments!! ;)

  6. Bogwitch February 6, 2009 at 7:27 pm #

    Oh, for Pete’s sake, not logins. Captch’s are not that much nicer, imo. Darknet, if you’re going to use captcha, at least use re-captcha so I feel as though I’m doing something useful.

    @Morgan, it is a pain, but ^a^c is not too hard a price to pay to keep the spam out of here, is it? It seems to be working….

  7. Morgan Storey February 6, 2009 at 11:53 pm #

    @Bogwitch: it isn’t that hard but as I don’t have to do it anywhere else I post I forget to do it here, eventually that lapse costs me.
    I agree captcha’s would be nicer and recaptcha is easy and giving something back, and iirc it is free.
    Maybe if the page where so full of javascript we could successfully press back and re-submit our comments but we can’t

    For a site that enjoys user comments I would be of the opinion that any that are lost could be disastrous as it could cause a new user to simply not visit the site anymore.

  8. Darknet February 7, 2009 at 7:35 am #

    Ok I’ll turn off WP-Spamfree for the moment, if it makes too much work for me though I’ll put reCaptcha in.

  9. Bogwitch February 14, 2009 at 11:54 am #

    Darknet, please turn it back on!!!!