07-31-2020 , 06:08 PM
Quote:A new technique uses a simplified process of DLL hijacking and mock directories to bypass Windows 10's UAC security feature and run elevated commands without alerting a user.
Windows UAC is a protection mechanism introduced in Windows Vista and above, which asks the user to confirm if they wish to run a high-risk application before it is executed.
As users are repeatedly asked to authorize legitimate processes, which can get annoying fast, starting with Windows 7, Microsoft introduced inbuilt “exceptions” within the UAC framework.
This feature allows trusted system DLLs located under C:\Windows\System32\ to “auto elevate” to higher privileges without displaying a UAC prompt.
This allows system processes that need elevated permissions to execute DLLs and EXEs without requiring them to answer UAC prompts.
Last month BleepingComputer reported how security researcher Wietze Beukema found that 300 Windows executables were vulnerable to DLL hijacking that allows attackers to bypass the UAC security feature.
Building on the same technique, security researcher and pentester Daniel Gebert illustrates how Windows 10 User Account Control (UAC) can also be bypassed through a combination of DLL hijacking techniques and mock directories.
Introducing Windows 10 mock directories
A mock directory is an imitation directory with a trailing space. For example, whereas "C:\Windows\System32" is a legitimate, trusted location on Windows machines, a mock directory would look like "C:\Windows\ System32" (notice the trailing space after Windows\).
When creating mock directories, there are two restrictions:
Mock directories cannot be directly created from within the Windows Explorer UI, so you'd need a simple script to accomplish the task.
Not all directories can be mocked:
"A mock directory must include a [subdirectory]. It is not possible to create 'C:\Windows '. But it is possible to create 'C:\Windows \System32'," Gebert explains in his blog post,
To make a mock directory, you can simply use a PowerShell command like:
New-Item "\\?\C:\Windows \System32" -ItemType Directory
When done, the C:\ root folder will now contain two Windows folders, but in reality, the second one has a trailing space, as shown below.
What makes mock folders so dangerous is that Windows, in some cases, like using File Explorer, treats "C:\Windows" and "C:\Windows " as the same folder, as illustrated below.
Continue reading HERE