Coffeehouse Thread

184 posts

UAC controversy - the last episode!

Back to Forum: Coffeehouse
  • User profile image
    AndyC

    W3bbo said:
    AndyC said:
    *snip*

    What about Mac OS X's control panel? It's arguably simpler than Windows 95's.

    I like how in OS X and in most Mac applications settings take effect as soon as a checkbox is filled rather than when you hit Apply.

    It's also trivial to exploit.

  • User profile image
    LeoDavidson

    Charles said:
    AndyC said:
    *snip*

    Whatever. I'm finished with this topic.

    C

    I'm not sure what's worse: That we have to spend so long to convince MS people that remote-code-execution vulnerabilities exist (duh!) and can be made worse by combining them with a silent, instant UAC bypass, or that once that obvious fact is finally repeated enough times for it to sink in the response is always the same: Silence.

    Besides which, WTF is the point of the UAC prompts, secure desktop, etc. if MS are happy to ignore a trivial (2 days to research and write from scratch) bypass mechanism which was raised four months ago, back when Windows was still at the public beta stage?

    (Ignore, I might add, without even bothering to get the full details of what it was. To me that screams, "We know this feature is now just for show and we thus don't care about any issues people raise.")

    Meanwhile using standard user still sucks and will be considered unusable by most people, because MS's private UAC-exemption backdoor only covers up the same old badly designed, prompt-(about-prompt)-spamming code for admin users, and third-party apps suffer under admin accounts for pure security theater.

    It's crystal clear that the new UAC setting/default is an attempt to appease the complaints about Vista's UAC prompt-spamming -- a good aim but a terrible way to go about it! -- without appearing to go back to the bad-old-days of XP.

    Yeah, if you make it so users see the odd UAC prompt for other people's software then they'll feel like they're secure, even though by default the prompts are now worth no more than a MessageBox("Are you sure?", MB_OKCANCEL)

    (UAC itself isn't worthless, of course, but the prompts are at the default mode.)

     

  • User profile image
    LeoDavidson

    wastingtimewithforums said:
    Charles said:
    *snip*

    "Yes. See answer number 1.)"

    ----

    Yes, and that proves your point.. how exactly? An exploited acrobat reader couldn't get root access (without UAC prompt) now it can. That fact ISN'T in your favour, guys.

    [EDIT: I was wrong about Flash/PDF within protected-mode IE. See reply on 8th page.]

    It's also worth noting that both Flash and Adobe Reader run within medium-IL proxy processes even when used with low-IL Internet Explorer. We all wish they didn't, and wish more things supported low-IL, but we still live in a reality where that isn't the case. Low-IL is the exception, not the rule. There are still plenty of "innocent" actions, like visiting a webpage in an up-to-date low-IL browser or double-clicking what you think is a static image or document file, which can result in malicious code being run.

    It doesn't have to be a "dodgy" webpage or file, either. There have been several cases this year alone where non-malicious sites and advertising networks have been hijacked by bad people to deliver malicious content to unsuspecting users.

    UAC isn't only about malicious code, obviously, but it's pretty useful at slowing it down and/or limiting how deeply it can embed itself in the system itself. I'd say that's the primary benefit of the prompts for admin accounts. (Even though UAC isn't a security boundary, it is still a security feature.)

    If you remove that benefit then what's left? Just the idea of making apps which show too many prompts annoy admin users with the misguided idea that it'll be more likely to make people push for those apps to be redesigned than for those people to simply turn off UAC if it bothers them... A pretty rich idea, too, considering Microsoft's apps (when their private backdoor is taken away) were and still are the worst offenders when it comes to this.

  • User profile image
    blowdart

    LeoDavidson said:
    wastingtimewithforums said:
    *snip*

    [EDIT: I was wrong about Flash/PDF within protected-mode IE. See reply on 8th page.]

    It's also worth noting that both Flash and Adobe Reader run within medium-IL proxy processes even when used with low-IL Internet Explorer. We all wish they didn't, and wish more things supported low-IL, but we still live in a reality where that isn't the case. Low-IL is the exception, not the rule. There are still plenty of "innocent" actions, like visiting a webpage in an up-to-date low-IL browser or double-clicking what you think is a static image or document file, which can result in malicious code being run.

    It doesn't have to be a "dodgy" webpage or file, either. There have been several cases this year alone where non-malicious sites and advertising networks have been hijacked by bad people to deliver malicious content to unsuspecting users.

    UAC isn't only about malicious code, obviously, but it's pretty useful at slowing it down and/or limiting how deeply it can embed itself in the system itself. I'd say that's the primary benefit of the prompts for admin accounts. (Even though UAC isn't a security boundary, it is still a security feature.)

    If you remove that benefit then what's left? Just the idea of making apps which show too many prompts annoy admin users with the misguided idea that it'll be more likely to make people push for those apps to be redesigned than for those people to simply turn off UAC if it bothers them... A pretty rich idea, too, considering Microsoft's apps (when their private backdoor is taken away) were and still are the worst offenders when it comes to this.

    Well flash is an incredibly nasty piece of software. Adobe simply ignores privacy mode, be in in IE or Mozilla and allows flash "cookies" regardless. And Acrobat is one of the easier vectors to exploit these days, just embed a PDF which has the javascript exploit and it will run, no prompts to the user.

  • User profile image
    WithinRafael

    LeoDavidson said:
    wastingtimewithforums said:
    *snip*

    [EDIT: I was wrong about Flash/PDF within protected-mode IE. See reply on 8th page.]

    It's also worth noting that both Flash and Adobe Reader run within medium-IL proxy processes even when used with low-IL Internet Explorer. We all wish they didn't, and wish more things supported low-IL, but we still live in a reality where that isn't the case. Low-IL is the exception, not the rule. There are still plenty of "innocent" actions, like visiting a webpage in an up-to-date low-IL browser or double-clicking what you think is a static image or document file, which can result in malicious code being run.

    It doesn't have to be a "dodgy" webpage or file, either. There have been several cases this year alone where non-malicious sites and advertising networks have been hijacked by bad people to deliver malicious content to unsuspecting users.

    UAC isn't only about malicious code, obviously, but it's pretty useful at slowing it down and/or limiting how deeply it can embed itself in the system itself. I'd say that's the primary benefit of the prompts for admin accounts. (Even though UAC isn't a security boundary, it is still a security feature.)

    If you remove that benefit then what's left? Just the idea of making apps which show too many prompts annoy admin users with the misguided idea that it'll be more likely to make people push for those apps to be redesigned than for those people to simply turn off UAC if it bothers them... A pretty rich idea, too, considering Microsoft's apps (when their private backdoor is taken away) were and still are the worst offenders when it comes to this.

    Quote from http://blogs.msdn.com/uac/archive/2006/06/01/613098.aspx:

    The problem with marking Windows binaries to “silently elevate” is that we feel it will lead to “worms” or self propagating malware.  If, for example, the user marks MMC.exe (the Microsoft Management Console) as “silent elevate” so that the device setup dialogs don’t prompt for elevation, malware running as Standard User would be able to use that setting to launch MMC with a set of command line parameters that accomplish tasks that we don’t want to happen silently, such as adding a new admin account to the system.  As another example, if you mark Format.com as a “silent elevator,” malware can then do a format of the OS drive.

    I think it's safe to say this team isn't working on UAC anymore...

  • User profile image
    Sven Groot

    Uxtheme Rafael said:
    LeoDavidson said:
    *snip*

    I think it's safe to say this team isn't working on UAC anymore...

    That's what pisses me of the most. MS is treating it like we're all wrong about what UAC is supposed to do, yet a scant few years ago the very people working on Vista UAC agreed with the points we are now arguing.

  • User profile image
    blowdart

    Uxtheme Rafael said:
    LeoDavidson said:
    *snip*

    I think it's safe to say this team isn't working on UAC anymore...

    Ah except silent elevation only happens for administrators, your quote talks about making silent elevation happen for standard users.

  • User profile image
    AndyC

    Sven Groot said:
    Uxtheme Rafael said:
    *snip*

    That's what pisses me of the most. MS is treating it like we're all wrong about what UAC is supposed to do, yet a scant few years ago the very people working on Vista UAC agreed with the points we are now arguing.

    Not only that, but most of us are probably aware of this issue because the original UAC team did such a good job of explaining why it couldn't whitelist apps the first time around.

  • User profile image
    ManipUni

    I think I'm starting to side with Microsoft on this issue. The more I look at UAC the more I realize that the entire thing is a waste of time with or without the whitelist. All the whitelist does is draw attention to a large hole that already exists in the way UAC functions. It *might* make automating escalation slightly easier, but I would say it is a relatively easy thing to do either way.

    My advice to Windows 7 (and Vista) users now is, don't run as an administrator account. UAC will offer no protection. Run as a user and create an administrator account to login using the UAC prompt. That gives you UAC with real process isolation.

  • User profile image
    LeoDavidson

    ManipUni said:

    I think I'm starting to side with Microsoft on this issue. The more I look at UAC the more I realize that the entire thing is a waste of time with or without the whitelist. All the whitelist does is draw attention to a large hole that already exists in the way UAC functions. It *might* make automating escalation slightly easier, but I would say it is a relatively easy thing to do either way.

    My advice to Windows 7 (and Vista) users now is, don't run as an administrator account. UAC will offer no protection. Run as a user and create an administrator account to login using the UAC prompt. That gives you UAC with real process isolation.

    The more I look at UAC the more I realize that the entire thing is a waste of time with or without the whitelist.

    Run as a user and create an administrator account to login using the UAC prompt.

    Prompt-spoofing can be done from standard user accounts. e.g. You want to open an elevated command prompt. Something's waiting for you to click that button and gets there first. All you see is a UAC dialog saying cmd.exe from Microsoft is about to be run. You don't know it's being run with different arguments, so you type your password in and by the time you see the second UAC prompt it's too late.

    (Even code-injection could also be done from standard user accounts, although it is far, far more difficult. If someone spends enough time analysing the target process they could do it, though. e.g. You trigger an elevation in Explorer. Something's waiting for you to do that and finds the elevated IFileOperation object pointer in Explorer's memory and starts sending commands to it. Very, very difficult but not impossible.)

    Even if you don't use elevation at all, and use fast user switching instead, things can go wrong. If you decide to browse the web using standard user for security, how do you know that an unsigned exe you download hasn't been changed by malware between you saving it to disk and you switching to the admin account to run the installer?

    So there are issues even with standard user elevation and the real security boundary. That's life. It doesn't mean we should throw our hands up and ignore all security issues with standard user accounts, does it? So why are we doing that with limited-admin accounts when they are still what the majority of non-business users will use?

    It all boils down to making things difficult enough that they will not be exploited quickly or often.

    What the default settings are, and what users will actually put up with, also cannot be ignored.

    You can say people should change the defaults to be more secure but it's about as likely to happen for most users as people changing to Linux to be more secure.

    You can say that people should put up with the hassle of typing in a password five times in a row because they needed to move some data around in Program Files, but that's about as likely to happen as people disassembling every program they download to check for malicious code.

    The situation we're in now is that the default settings have been made easy to bypass. That's not good.

    Edit: But if we do throw our hands up and give up on making limited-admin as secure as possible, let's admit that's what we've done and not inflict pointless UAC prompts on third-party software just for show.

  • User profile image
    ManipUni

    LeoDavidson said:
    ManipUni said:
    *snip*

    Prompt-spoofing can be done from standard user accounts. e.g. You want to open an elevated command prompt. Something's waiting for you to click that button and gets there first. All you see is a UAC dialog saying cmd.exe from Microsoft is about to be run. You don't know it's being run with different arguments, so you type your password in and by the time you see the second UAC prompt it's too late.

    (Even code-injection could also be done from standard user accounts, although it is far, far more difficult. If someone spends enough time analysing the target process they could do it, though. e.g. You trigger an elevation in Explorer. Something's waiting for you to do that and finds the elevated IFileOperation object pointer in Explorer's memory and starts sending commands to it. Very, very difficult but not impossible.)

    Even if you don't use elevation at all, and use fast user switching instead, things can go wrong. If you decide to browse the web using standard user for security, how do you know that an unsigned exe you download hasn't been changed by malware between you saving it to disk and you switching to the admin account to run the installer?

    So there are issues even with standard user elevation and the real security boundary. That's life. It doesn't mean we should throw our hands up and ignore all security issues with standard user accounts, does it? So why are we doing that with limited-admin accounts when they are still what the majority of non-business users will use?

    It all boils down to making things difficult enough that they will not be exploited quickly or often.

    What the default settings are, and what users will actually put up with, also cannot be ignored.

    You can say people should change the defaults to be more secure but it's about as likely to happen for most users as people changing to Linux to be more secure.

    You can say that people should put up with the hassle of typing in a password five times in a row because they needed to move some data around in Program Files, but that's about as likely to happen as people disassembling every program they download to check for malicious code.

    The situation we're in now is that the default settings have been made easy to bypass. That's not good.

    Edit: But if we do throw our hands up and give up on making limited-admin as secure as possible, let's admit that's what we've done and not inflict pointless UAC prompts on third-party software just for show.

    Which is why I am suggesting people use something other than the default which is harder to bypass. While logging into an administrator account via UAC is still somewhat flawed it is better than either UAC in Vista or whitelisted UAC in 7. Secure desktop helps mitigate some UI hijack issues.

    But I do grant that you could entirely replace for example the Firewall Control Panel applet and people would just login to admin and escalate your new nasty applet. But I'm not sure how much can be done to mitigate that. I guess you could suggest people fast user switch but that is asking more than most normal people are willing to give.

  • User profile image
    AndyC

    ManipUni said:
    LeoDavidson said:
    *snip*

    Which is why I am suggesting people use something other than the default which is harder to bypass. While logging into an administrator account via UAC is still somewhat flawed it is better than either UAC in Vista or whitelisted UAC in 7. Secure desktop helps mitigate some UI hijack issues.

    But I do grant that you could entirely replace for example the Firewall Control Panel applet and people would just login to admin and escalate your new nasty applet. But I'm not sure how much can be done to mitigate that. I guess you could suggest people fast user switch but that is asking more than most normal people are willing to give.

    ManipUni said:
    Which is why I am suggesting people use something other than the default which is harder to bypass. While logging into an administrator account via UAC is still somewhat flawed it is better than either UAC in Vista or whitelisted UAC in 7. Secure desktop helps mitigate some UI hijack issues.

    That is absolutely the best way to do things, but it can also be the most frustrating if you have a lot of applications that aren't Standard User friendly. One of the goals of UAC in Vista was to make more applications Standard User friendly, which would make taking this most secure route much more palatable. Sadly Windows 7 has jumped the shark in that regard, what we will now see is more apps that appear (and claim) to be Standard User friendly, but only do so by exploiting silent elevation. And fixing that in future versions of Windows could be the biggest nightmare the appcompat team will ever have.

    ManipUni said:
    But I do grant that you could entirely replace for example the Firewall Control Panel applet and people would just login to admin and escalate your new nasty applet. But I'm not sure how much can be done to mitigate that. I guess you could suggest people fast user switch but that is asking more than most normal people are willing to give.

    Not really. How do you replace the Firewall control panel without having Administrator rights? And if you were able to obtain Administrator rights at some point, why would you bother messing around with the Firewall Control panel when you already own the machine at that point?

  • User profile image
    ManipUni

    AndyC said:
    ManipUni said:
    *snip*

    Not really. How do you replace the Firewall control panel without having Administrator rights? And if you were able to obtain Administrator rights at some point, why would you bother messing around with the Firewall Control panel when you already own the machine at that point?

    The Firewall Control Panel applet is displayed by Explorer running within your session. You just modify the process to direct the Firewall applet to another applet of your choice.

  • User profile image
    wastingtime​withforums

    ManipUni said:

    I think I'm starting to side with Microsoft on this issue. The more I look at UAC the more I realize that the entire thing is a waste of time with or without the whitelist. All the whitelist does is draw attention to a large hole that already exists in the way UAC functions. It *might* make automating escalation slightly easier, but I would say it is a relatively easy thing to do either way.

    My advice to Windows 7 (and Vista) users now is, don't run as an administrator account. UAC will offer no protection. Run as a user and create an administrator account to login using the UAC prompt. That gives you UAC with real process isolation.

    "All the whitelist does is draw attention to a large hole that already exists in the way UAC functions. It *might* make automating escalation slightly easier, but I would say it is a relatively easy thing to do either way."

    --------------------------

    Is automatic escalation really easy in Vista? OK then, how do you circumvent Vista's UAC prompts? Show me an example.. Because, frankly, I have never seen one. Of course I have seen something that claims it can circumvent it, as example:

    http://neosmart.net/blog/2008/ireboot-and-working-around-uac-limitations/

    But at the end, it doesn't really circumvent it, quote:

    --------------------

    "While digging around for possible solutions, it became clear that the only possible fix would be to split iReboot into two parts. One would run in the background as a service, running under the SYSTEM or LOCAL SERVICE accounts and having privileged access to the OS without requiring admin approval or UAC elevation, and with the second half running as an unprivileged userspace client program which interacts with the service backend to get stuff done.

    The resulting application has an installer - which requires admin privileges, of course - which installs and launches the background service. The background service has full permission to do what we need to get operating system XXXX to be the default option for the next boot, but - in line with the Windows Service Model - cannot be interacted with by end users."

    -------------------

    All the examples I have seen _still_ ask for a prompt at some point. Can you show me an .exe, that disables Vista's UAC instantly without any prompts?

  • User profile image
    AndyC

    ManipUni said:
    AndyC said:
    *snip*

    The Firewall Control Panel applet is displayed by Explorer running within your session. You just modify the process to direct the Firewall applet to another applet of your choice.

    If you altered the explorer process so it pointed the firewall applet at a different control panel, you'd get a different UAC prompt (either the Orange unsigned one or the grey Signed by third party one), wheras the normal Firewall control panel generates the Green/Blue Windows one. It's not perfect, but it's another layer of defense if you know what you are looking for.

  • User profile image
    ManipUni

    wastingtimewithforums said:
    ManipUni said:
    *snip*

    "All the whitelist does is draw attention to a large hole that already exists in the way UAC functions. It *might* make automating escalation slightly easier, but I would say it is a relatively easy thing to do either way."

    --------------------------

    Is automatic escalation really easy in Vista? OK then, how do you circumvent Vista's UAC prompts? Show me an example.. Because, frankly, I have never seen one. Of course I have seen something that claims it can circumvent it, as example:

    http://neosmart.net/blog/2008/ireboot-and-working-around-uac-limitations/

    But at the end, it doesn't really circumvent it, quote:

    --------------------

    "While digging around for possible solutions, it became clear that the only possible fix would be to split iReboot into two parts. One would run in the background as a service, running under the SYSTEM or LOCAL SERVICE accounts and having privileged access to the OS without requiring admin approval or UAC elevation, and with the second half running as an unprivileged userspace client program which interacts with the service backend to get stuff done.

    The resulting application has an installer - which requires admin privileges, of course - which installs and launches the background service. The background service has full permission to do what we need to get operating system XXXX to be the default option for the next boot, but - in line with the Windows Service Model - cannot be interacted with by end users."

    -------------------

    All the examples I have seen _still_ ask for a prompt at some point. Can you show me an .exe, that disables Vista's UAC instantly without any prompts?

    I cannot show you an application that disables UAC instantly.

    But what can be done is you can write an application that will monitor process launches within its session, inject code into them, and wait for a user to escalate any one of them. As soon as any process is escalated you've won. Since Win32 let's you alter other processes within the same session it is fairly trivial to do.

    Alternatively, and as pointed out above, you could monitor downloaded files and inject code into any *.dll *.exe *.com etc files you run across. Even if it invalidates the signiture most people would assume that something from Microsoft.com for example is safe and launch it.

  • User profile image
    wastingtime​withforums

    ManipUni said:
    wastingtimewithforums said:
    *snip*

    I cannot show you an application that disables UAC instantly.

    But what can be done is you can write an application that will monitor process launches within its session, inject code into them, and wait for a user to escalate any one of them. As soon as any process is escalated you've won. Since Win32 let's you alter other processes within the same session it is fairly trivial to do.

    Alternatively, and as pointed out above, you could monitor downloaded files and inject code into any *.dll *.exe *.com etc files you run across. Even if it invalidates the signiture most people would assume that something from Microsoft.com for example is safe and launch it.

    "But what can be done is you can write an application that will monitor process launches within its session, inject code into them, and wait for a user to escalate any one of them. As soon as any process is escalated you've won. Since Win32 let's you alter other processes within the same session it is fairly trivial to do."

    And this is easy? First of all you would have a background application in the task manager always visible - problem 1 (and some anti virus-anti spyware software give alarms if an unknown process is always active in the background)

    It's a guess game - there is very high chance that the user won't elevate any application. If mom&pop work only with the browser+mail client+word they don't see the elevation prompt that often. Maybe once a week or so (MAYBE) - problem 2

    Problem 3 - this attack works with a standard account! And exactly like that - it lurks in the background and injects into processes, if the user elevates an infected process.. boom. What's the difference? Where is the standard account superior then? The additional password request?

     

    Your second way has the same problems. Sorry, but I still don't see how being able to circumvent UAC instantly, without any guess games, is supposed to be not a vulnerability.

  • User profile image
    WithinRafael

    blowdart said:
    Uxtheme Rafael said:
    *snip*

    Ah except silent elevation only happens for administrators, your quote talks about making silent elevation happen for standard users.

    Ah except silent elevation only happens for administrators, your quote talks about making silent elevation happen for standard users.

    You do realize the majority of Windows 7 users will be using Administrative accounts right?

     

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.