Beruflich Dokumente
Kultur Dokumente
around UAC
Abusing Access Tokens for UAC Bypasses
Application
UAC Architecture
AppInfo Service
Limited User Logon Session Elevated User Logon Session
Authentication-ID = A-B RPC Authentication-ID = X-Y
Application
ShellExecute “runas”
UAC Architecture
AppInfo Service
Limited User Logon Session Elevated User Logon Session
Authentication-ID = A-B RPC Authentication-ID = X-Y
Application
ShellExecute “runas”
consent.exe
UAC Architecture
AppInfo Service
Limited User Logon Session Elevated User Logon Session
Authentication-ID = A-B RPC Authentication-ID = X-Y
Application
ShellExecute “runas”
Application
Linked Tokens
Linked Tokens
Deny-Only Groups
Link
Also Fewer Privileges
Link
The Problem with UAC
User Profile
Non-Admin Directory Admin
Application Application
Desktop and
Kernel Objects
The Problem with UAC
User Profile
Non-Admin Directory Admin
Application Application
Desktop and
Kernel Objects
Kernel Object Login Sid
Non-Admin Token
Groups
Win32k
rd
oab
C lip Captured
to
Token
ite
Wr
Win32k
Nt
Us
erG
etC
Captured
lip
bo
Token
ard
To
ke
n
UAC Admin Non-Admin
Process Process
NtUserGetClipboardToken
Kernel
Win32k
Captured
Token
Op
en
edf
or
rea
d
UAC Admin Non-Admin
Process Process
Clipboard Token
Read-only access
Creating a New Process
Parent Token Sibling Token
Process
Token
Restrict to
ALLOWED Identification
Level
Impersonating a Token
Token Level Process has Process IL Process User
== Impersonate >= ==
Identification Privilege Token IL Token User
Restrict to
ALLOWED Identification
Level
Impersonating a Token
Token Level Process has Process IL Process User
== Impersonate >= ==
Identification Privilege Token IL Token User
Restrict to
ALLOWED Identification
Level
Impersonating a Token
Token Level Process has Process IL Process User
== Impersonate < ==
Identification Privilege Token IL Token User
Restrict to
ALLOWED Identification
Level
Reduce the Integrity Level
Reduce the Integrity Level
Impersonating a Token
Token Level Process has Process IL Process User
== Impersonate >= ==
Identification Privilege Token IL Token User
Restrict to
ALLOWED Identification
Level
High IL != Administrator
Standard
auto-elevation of
specific MS binaries.
Scheduled Tasks
Elevation Check
Restrict to
ALLOWED Identification
Level
Elevation Checks
if (SeTokenIsElevated(ImpersonationToken)) {
if (!SeTokenIsElevated(ProcessToken) ||
ProcessToken->LogonSession->Flags.UacSession) {
return STATUS_PRIVILEGE_NOT_HELD;
}
}
// Continue with impersonation check.
What Makes a Token
Elevated?
● Has “God” privileges or certain elevated groups
Application
Impersonate Non-Admin
Token
Non-Admin
Application
Impersonate Admin Token
DEMO
LogonUser New Credentials
LSASS
Limited User Logon Session Elevated User Logon Session
LogonUser
Authentication-ID = A-B Authentication-ID = X-Y
Application
// Clone token with new credentials.
Impersonate LogonUser("Badger",
Non-Elevated Token "Badger",
"Badger",
LOGON32_LOGON_NEW_CREDENTIALS,
&Token);
Admin Token
Elevated Token
Abuse Secondary Logon
ImpersonateLoggedOnUser(hNonElevatedToken);
CreateProcessWithLogonW(
"Badger", "Badger", "Badger",
Equivalent to
LOGON_NETCREDENTIALS_ONLY LOGON32_LOGON_NEW_CREDENTIALS
Normal User Logon Session Normal User Admin User Elevated User Logon Session
Authentication-ID = A-B Registry Hive Registry Hive Authentication-ID = X-Y
Restrict to
ALLOWED Identification
Level
Impersonating an OTS Token
Token Level Process has Process IL Capability Check
== Impersonate >=
Identification Privilege Token IL
Process User
==
Token User
Restrict to
ALLOWED Identification
Level
Capability Check
BOOLEAN SepIsImpersonationAllowedDueToCapability(PTOKEN token, PTOKEN imp_token) {
if ((token->SessionId != imp_token->SessionId) ||
(token->TokenFlags & TOKEN_FLAGS_LOWBOX) == 0) || Tokens must be in
(imp_token->TokenFlags & TOKEN_FLAGS_LOWBOX) == 0)) { same Session and
return FALSE; both be LowBox.
}
if (!SepSidInTokenSidHash(&token->CapabilitiesHash,
SeConstrainedImpersonationCapabilitySid) ||
!SepCheckCapabilities(token, imp_token->Capabilities) || Process token must have
!RtlEqualSid(token->Package, imp_token->Package)) { impersonation capability,
return FALSE; and be in same package.
}
return TRUE;
}
Enterprise Authentication
DEMO
Is Anything Safe?
Hit CTRL+ALT+DEL
and click
Conclusions
● Admin-Approval UAC is broken
● Over-the-sholder UAC is pretty broken on Windows 10
● Best chance you have is fast-user switching
○ Don’t switch using Explorer, always use the secure attention sequence
Thanks
Any Questions?