Microsoft described the Windows User Account Control (UAC) security feature as helping “defend your PC against hackers and malicious software. Any time a program wants to make a major change to your computer, UAC lets you know and asks for permission.” But when the UAC box pops up, prompting you to choose if you will allow a program to make changes on your computer, do you click on “Show details” before selecting “Yes” or “No”? Like most decisions in life, the devil is in the details.
On the Cylance security firm blog, Derek Soeder discussed ShameOnUAC, a proof of concept malware that attacks Windows Explorer. It was developed by the Cylance SPEAR Team when the group was looking at the potential to subvert programs during privilege elevation through UAC.
To understand how UAC works, Soeder gives two examples. The first shows UAC running as it was intended.
The second shows UAC running after the ShameOnUAC malware was injected. “If you don't click the consent prompt's ‘Show details’ button, you'd see no difference between the two scenarios.” He added that even if users do click to see the details, “Users who review that box must understand what they see.”
The malware tricks Windows Application Information service (Appinfo); Microsoft described the Appinfo service as facilitating “the running of interactive applications with additional administrative privileges.” So if a program wants elevated rights, the request goes to Appinfo, which then triggers the UAC prompt asking users if they want to allow the program to make changes. Although Cylance developed ShameOnUAC to target requests to elevate Windows Command Prompt (cmd.exe) and Registry Editor (regedit.exe), Soeder said “more targets are surely possible.”
Regarding cmd.exe, when ShameOnUAC runs, the user still gets the expected admin command prompt after clicking on “yes” but “ShameOnUAC gets to run a command of its choosing first. At that point, it has attained administrator privileges.”
Regarding regedit.exe, ShameOnUAC causes it to silently install a .reg file then registers a second elevation request. The technical details explain more, but Soeder said, “That request causes AppInfo to run a new consent.exe process (as SYSTEM), which loads the ShameOnUAC library before displaying anything to the user. The library then tweaks the parameters consent.exe receives from the AppInfo service to suppress the consent prompt. The user gets the expected Regedit window—after ShameOnUAC gets SYSTEM privileges.”
Cylance previously explained ShameOnUAC during the RSA presentation “Hacking Exposed: Next Generation Attacks.” The presentation included the handy graphic below as well as the abbreviated explanation of: run ShameOnUAC malware backdoor; trigger the UAC prompt on victim’s PC, “cached credential dumping equals the keys to the kingdom; connect back; game is over.”
Additionally, there are no mitigations for ShameOnUAC. “It’s a feature.”
ShameOnUAC adds a new trick to an arsenal of widely known privilege escalation methods, demonstrating an opportunistic privilege elevation from medium to high integrity when UAC is in use.
It's important to point out that UAC is working as designed. ShameOnUAC is creepy to watch in action because it shows users could have been unintentionally elevating malware from "dangerous" to "game over" all along, each time ignoring the information that would have allowed them to catch it.
Now that I've played with ShameOnUAC, I always click the "Show details" button, because if I don't it could be shame on me.
Is this part of future next-gen attacks? It might be a good idea to get into the habit of clicking "Show details" if you don't do so now.