Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
Security Windows Microsoft Operating Systems Privacy Software

Windows 10 UAC Bypass Uses Backup and Restore Utility (bleepingcomputer.com) 58

An anonymous reader writes: "A new User Access Control (UAC) bypass technique relies on altering Windows registry app paths and using the Backup and Restore utility to load malicious code without any security warning," reports BleepingComputer. The technique works when an attacker launches the Backup and Restore utility, which loads its control panel settings page. Because the utility doesn't known where this settings page is located, it queries the Windows Registry. The problem is that low-privileged users can modify Windows Registry values and point to malware. Because the Backup and Restore utility is a trusted application, UAC prompts are suppressed. This technique only works in Windows 10 (not earlier OS versions) and was tested with Windows 10 build 15031. A proof-of-concept script is available on GitHub. The same researcher had previously found two other UAC bypass techniques, one that abuses the Windows Event Viewer, and one that relies on the Windows 10 Disk Cleanup utility
This discussion has been archived. No new comments can be posted.

Windows 10 UAC Bypass Uses Backup and Restore Utility

Comments Filter:
  • Problem 1: Why would you use the registry to find an app path? What happened to using the system environment path which is already secured? Registry. Pshhh!

    Problem 2: Auto Elevation. Microsoft introduces UAC. People get annoyed with it. Microsoft introduces Auto Elevation. Guess what, still annoying and now possible security hole.

    I am fine if Windows asks me to enter a user and password to elevate. It works on my *cough* Linux desktop. Annoying? Yes. Secure? More so. But really, how often does one use admin

    • What happened to using the system environment path which is already secured?

      Where do you think the system environment path comes from? Why would you include a feature that isn't necessary either for system operation or system security?

      Auto Elevation. Microsoft introduces UAC. People get annoyed with it. Microsoft introduces Auto Elevation. Guess what, still annoying and now possible security hole.

      Its heartbreaking that Microsoft doesn't have security architects capable of guiding a redesign of their platform to reflect current OS security theory and practices.

      I am fine if Windows asks me to enter a user and password to elevate. It works on my *cough* Linux desktop. Annoying? Yes. Secure? More so.

      Its also considered a backward practice. Modern authentication systems should not require a "hackable" password. Also, any system administrator using a GUI interface that relies on xwi

      • Security design flaws in xwindows were never fully removed, even after twenty years

        That's because everyone decided to just not use xauth as is and tunnel X via ssh instead to avoid that remote vunerability. If it's not listening (which has been the default everywhere with X since about 1998 when Hummingbird finally fixed their MS Windows version of X) it's not vunerable. You have to work hard and edit odd config files to make it vunerable.

        • The point is its a security design flaw to provide an anachronistic feature that no one cares about anymore. (Almost) no one uses ssh to "tunnel" a window for every application that is initiated within their own user session, but that is literally what needs to be done (and a kludge, mind you) to actually have a "secure" xwindow session. While I grasp that xwindow maintainers don't consider it a "compelling" security hole, they should have deprecated the feature decades ago, to resolve the security issue

          • by dbIII ( 701233 )
            You do not seem to get it. There is no more secure alternative to a deliberately insecure connection that is only turned on by those who want to use it with legacy systems far too old to have ssh. If it's possible to update the old systems then the problem goes away entirely and you don't have to use the old very open model.
            You are doing the equivalent of complaining that an MSDOS prompt does not ask for a login and a password. It's not a problem because it is no longer relevant. Nobody uses that insecu
          • by dbIII ( 701233 )

            Almost) no one uses ssh to "tunnel" a window for every application that is initiated within their own user session

            With respect, what you are complaining about is an old remote vunerability kept for compatability reasons and has nothing to do with applications run locally so I suggest you go to whoever fed you this talking point and get them to explain it to you a little better.

            You are starting to look like you are complaining that the user has the ability to do things with their own application windows. N

    • Well, if it is set to backup everynight, then you'd have to do it then. But yeah, kinda stupid overall.

      Easy fix, set perms on that reg entry so you need rights to change it...

      • Easiest fix would be to move it from HKCU (where it has no reason to be in the first place) to HKLM. Problem solved.

    • Old windows had a 2047 char limit on the PATH env var. Now it is up to 4095. That sucker can fill up fast, especially if you do development on it
      • A linker command in larger projects can easily blow over those limits necessitating hacks in buildsystems. To me it's one of most striking examples suggesting just how poorly Microsoft reinvented Unix. Another related issue is that command line is passed as single string in windows api while individual args are sent in separate strings in posix apis. Separate strings make more sense for lowest level api. Parsing command lines and handling escaping to be able to pass arguments with spaces for sure isn't job
        • by t0y ( 700664 )
          Actually, he's wrong. The soft limit was 260 and now the OS removing the limit in some builtin applications bringing it back to the native limit which is around 32700 characters (you can test 7-zip, for example, in windows 7: it won't have the soft limit).
          The 4095 limit he's talking about is actually linux's.
    • Problem 1: Why would you use the registry to find an app path? What happened to using the system environment path which is already secured? Registry. Pshhh!

      Problem 2: Auto Elevation. Microsoft introduces UAC. People get annoyed with it. Microsoft introduces Auto Elevation. Guess what, still annoying and now possible security hole.

      I am fine if Windows asks me to enter a user and password to elevate. It works on my *cough* Linux desktop. Annoying? Yes. Secure? More so. But really, how often does one use admin functions?

      The way Windows handles stuff I need/user admin features daily. I routinely change my IP address on my interface to work with various systems. I use the task manager to diagnose issues with a system. There are others, but every time I go into the network interface it prompts for the password, I leave the interface for and then go right back into it, I type the password. I understand what the UAC was supposed to accomplish, but in the end it's another layer upon layer of stuff Microsoft has added to attemp

  • by Anonymous Coward

    Come on, just looking at how hard they're shoving Win10 down everyone's throat, you know the NSA placed a ton of backdoors in Win10 disguised as bugs, enough to last a decade of "bug" discoveries.

  • Come on guys. It even says it right in the script:

    if($ConsentPrompt -Eq 2 -And $SecureDesktopPrompt -Eq 1){
                    "UAC is set to 'Always Notify'. This module does not bypass this setting."
                    exit

    Always Notify is the default setting.

  • by TheRealHocusLocus ( 2319802 ) on Saturday March 18, 2017 @07:55AM (#54064651)

    "You walked away from your machine for ten minutes, ha ha!"
    "Windows 10 is updating whether you (the fuck) like it or not."
    "This should take a minute (or 20) (or 30)"
    "Do not ask why replacing a few signed components takes so long"
    "Do not turn off your computer"

    Glad I also have an old ATM running XP SP3 to use.

  • If you want a Blue UAC prompt that indicates the program being run is signed by Microsoft and everything, you can write a program that invokes privileged parts of Windows.

    For example, you can call the DISM package manager of Windows to install or remove components of Windows. And when you call it, you get the Blue "Everything is okay, it's all signed by Microsoft" UAC prompt as opposed to the Yellow "This isn't signed" UAC prompt. But using DISM irresponsibly can break a Windows installation.

  • ...This technique only works in Windows 10 (not earlier OS versions)...

    Tell me it's not true, Microsoft!

  • It's easy having a separate admin account, which is rarely used.

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...