Windows 10 UAC Bypass Uses Backup and Restore Utility (bleepingcomputer.com) 58
An anonymous reader writes: "A new User Access Control (UAC) bypass technique relies on altering Windows registry app paths and using the Backup and Restore utility to load malicious code without any security warning," reports BleepingComputer. The technique works when an attacker launches the Backup and Restore utility, which loads its control panel settings page. Because the utility doesn't known where this settings page is located, it queries the Windows Registry. The problem is that low-privileged users can modify Windows Registry values and point to malware. Because the Backup and Restore utility is a trusted application, UAC prompts are suppressed. This technique only works in Windows 10 (not earlier OS versions) and was tested with Windows 10 build 15031. A proof-of-concept script is available on GitHub. The same researcher had previously found two other UAC bypass techniques, one that abuses the Windows Event Viewer, and one that relies on the Windows 10 Disk Cleanup utility
Re: (Score:1)
"Made me scroll forever!"
What, is your screen resolution 160x120?
Re: (Score:1)
I am not the OP / AC BTW)
Re: (Score:2)
Either /. is gaslighting us or the AC has found a way to edit their posts after the fact. Because that is exactly what I saw originally, about ten lines and no "Read the rest of the comment" at the bottom.
Auto Elevation (Score:2)
Problem 1: Why would you use the registry to find an app path? What happened to using the system environment path which is already secured? Registry. Pshhh!
Problem 2: Auto Elevation. Microsoft introduces UAC. People get annoyed with it. Microsoft introduces Auto Elevation. Guess what, still annoying and now possible security hole.
I am fine if Windows asks me to enter a user and password to elevate. It works on my *cough* Linux desktop. Annoying? Yes. Secure? More so. But really, how often does one use admin
Re: (Score:2)
What happened to using the system environment path which is already secured?
Where do you think the system environment path comes from? Why would you include a feature that isn't necessary either for system operation or system security?
Auto Elevation. Microsoft introduces UAC. People get annoyed with it. Microsoft introduces Auto Elevation. Guess what, still annoying and now possible security hole.
Its heartbreaking that Microsoft doesn't have security architects capable of guiding a redesign of their platform to reflect current OS security theory and practices.
I am fine if Windows asks me to enter a user and password to elevate. It works on my *cough* Linux desktop. Annoying? Yes. Secure? More so.
Its also considered a backward practice. Modern authentication systems should not require a "hackable" password. Also, any system administrator using a GUI interface that relies on xwi
More than 20 years but not really vunerable (Score:2)
That's because everyone decided to just not use xauth as is and tunnel X via ssh instead to avoid that remote vunerability. If it's not listening (which has been the default everywhere with X since about 1998 when Hummingbird finally fixed their MS Windows version of X) it's not vunerable. You have to work hard and edit odd config files to make it vunerable.
Re: (Score:2)
The point is its a security design flaw to provide an anachronistic feature that no one cares about anymore. (Almost) no one uses ssh to "tunnel" a window for every application that is initiated within their own user session, but that is literally what needs to be done (and a kludge, mind you) to actually have a "secure" xwindow session. While I grasp that xwindow maintainers don't consider it a "compelling" security hole, they should have deprecated the feature decades ago, to resolve the security issue
Re: (Score:2)
You are doing the equivalent of complaining that an MSDOS prompt does not ask for a login and a password. It's not a problem because it is no longer relevant. Nobody uses that insecu
Re: (Score:2)
With respect, what you are complaining about is an old remote vunerability kept for compatability reasons and has nothing to do with applications run locally so I suggest you go to whoever fed you this talking point and get them to explain it to you a little better.
You are starting to look like you are complaining that the user has the ability to do things with their own application windows. N
Re: (Score:2)
Well, if it is set to backup everynight, then you'd have to do it then. But yeah, kinda stupid overall.
Easy fix, set perms on that reg entry so you need rights to change it...
Re: (Score:2)
Easiest fix would be to move it from HKCU (where it has no reason to be in the first place) to HKLM. Problem solved.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The 4095 limit he's talking about is actually linux's.
Re: (Score:2)
Re: (Score:2)
Problem 1: Why would you use the registry to find an app path? What happened to using the system environment path which is already secured? Registry. Pshhh!
Problem 2: Auto Elevation. Microsoft introduces UAC. People get annoyed with it. Microsoft introduces Auto Elevation. Guess what, still annoying and now possible security hole.
I am fine if Windows asks me to enter a user and password to elevate. It works on my *cough* Linux desktop. Annoying? Yes. Secure? More so. But really, how often does one use admin functions?
The way Windows handles stuff I need/user admin features daily. I routinely change my IP address on my interface to work with various systems. I use the task manager to diagnose issues with a system. There are others, but every time I go into the network interface it prompts for the password, I leave the interface for and then go right back into it, I type the password. I understand what the UAC was supposed to accomplish, but in the end it's another layer upon layer of stuff Microsoft has added to attemp
Re: (Score:1)
"The problem is that low-privileged users can modify Windows Registry values and point to malware."
Back when I was a little boy (Windows User/Admin) you couldn't make changes to the registry as a non-privileged user. Did this actually change? Is it really possible for a low privileged user to modify the registry? Because if so then Windows is beyond fucked in the security department (even more than we all knew they are fscked.)
Re: (Score:2)
Back when I was a little boy (Windows User/Admin) you couldn't make changes to the registry as a non-privileged user. Did this actually change? Is it really possible for a low privileged user to modify the registry?
It doesn't appear so. I just made a non-privileged user account to see if I could modify the registry. Every time it asked for elevated access and the administrator password. Using their proof-of-concept script, I can't get it to do anything either. Regedit always asks for admin privileges and an administrator password. It appears that this only works if you're using a lower setting of the UAC, have it turned off, or have the notifications disabled for it.
Re: (Score:2)
Are you using Windows 10? The article said it didn't work in earlier versions of Windows.
No I'm pretty sure it's windows 8. [imgur.com]
Exploitable with your normal account, admin group (Score:2)
> I just made a non-privileged user account to see if I could modify the registry.
Meaning the account you normally use is a member of the Administrators group? According to the article, that's the type of account this targets, a member of the admin group.
Re: (Score:2)
Meaning the account you normally use is a member of the Administrators group?
Meaning the account I use is a "local power user" account. What? You didn't know you could still make those with a little bit of effort?
Re: (Score:2)
Admin rights are not needed to modify the registry. Registry keys have ACLs, and many of them under HKEY_LOCAL_MACHINE are set to only allow modification by Administrators, but many of them under HKEY_CURRENT_USER are set to allow modification by that user. The key that this is about can be set by the user.
regedit.exe happens to ask for admin rights when the user is in the Administrators group, but other programs can be used to modify the non-admin bits of the registry.
Re: Registry (Score:1)
Re: (Score:2)
And people defend them at every turn! Im sure you saw some of the posts on the locking of new processors out of anything before win 10. Atrocious.
Re: (Score:2)
This UAC bypass is not supposed to work for that. It only bypasses UAC by exploiting a situation where UAC normally doesn't prompt, which, as far as I know, only happens for admin accounts.
As I posted, that is an artificial restriction on regedit.exe which does not affect o
Just another intentional backdoor (Score:1)
Come on, just looking at how hard they're shoving Win10 down everyone's throat, you know the NSA placed a ton of backdoors in Win10 disguised as bugs, enough to last a decade of "bug" discoveries.
Re: Just another intentional backdoor (Score:1)
Phony (Score:2)
Come on guys. It even says it right in the script:
if($ConsentPrompt -Eq 2 -And $SecureDesktopPrompt -Eq 1){
"UAC is set to 'Always Notify'. This module does not bypass this setting."
exit
Always Notify is the default setting.
Re: (Score:2)
Always Notify is the default setting.
oops i was mistaken, my bad.
Re: (Score:1)
Always Notify is the default setting.
oops i was mistaken, my bad.
I hate you.
what? no, not because of this mistake. it's because you never finished your goddamn website! [pkunk.net] it's been under construction since 2003! >:(
Microsoft Botnet DOS Attack in Progress (Score:4, Funny)
"You walked away from your machine for ten minutes, ha ha!"
"Windows 10 is updating whether you (the fuck) like it or not."
"This should take a minute (or 20) (or 30)"
"Do not ask why replacing a few signed components takes so long"
"Do not turn off your computer"
Glad I also have an old ATM running XP SP3 to use.
Re: (Score:2)
Glad I also have an old ATM running XP SP3 to use.
Why not OS/2 Warp? :P
Getting the Blue Signed UAC prompt (Score:2)
If you want a Blue UAC prompt that indicates the program being run is signed by Microsoft and everything, you can write a program that invokes privileged parts of Windows.
For example, you can call the DISM package manager of Windows to install or remove components of Windows. And when you call it, you get the Blue "Everything is okay, it's all signed by Microsoft" UAC prompt as opposed to the Yellow "This isn't signed" UAC prompt. But using DISM irresponsibly can break a Windows installation.
Windows 10 is most secure version? (Score:2)
...This technique only works in Windows 10 (not earlier OS versions)...
Tell me it's not true, Microsoft!
Just don't run as admin (Score:2)