Researcher Reveals 2-Step Vista UAC Hack

Robert Paveza, a senior Web application developer with Web-based marketing company Terralever, has uncovered a two-step process for exploiting Windows Vista's User Account Control. In his published paper, Paveza said that the vulnerability uses a two-part attack vector against a default Vista installation. The first step requires that a proxy infection tool be downloaded and run without elevation. That software can behave as the victim expects it to while it sets up a second malicious payload in the background. "For instance, if users believe they are downloading a 'Pac-Man' clone, such a game could be run while the malicious software did its work in the background. This pattern of infection follows the typical Trojan horse model, piggybacking on what may be otherwise legitimate software," said Paveza.

Microsoft is aware of demonstrations that "purport" to show how a Vista system can be attacked. A Microsoft spokesperson said the demonstration provided by Paveza is of actions an attacker can take on a system that already has been compromised by another means: "With this in mind, it is important to note that user interaction is required for the initial infection of the Trojan to occur. The user must open the attacker's malicious executable. Furthermore, the successive social engineering attempt will only be successful if the user inadvertently clicks on the malicious shortcut. In fact, at this point, the user must be part of the local administrator's group or provide administrator credentials at the UAC prompt."

View: User-Prompted Elevation of Unintended Code in Windows Vista (PDF)
News source: eWeek

Report a problem with article
Previous Story

Microsoft Research tackles mobile touch-screen problem

Next Story

Microsoft: "Absolutely No Plans" for Blu-Ray

45 Comments

Commenting is disabled on this article.

my grandma just sent me new pics of her dog, lets download and install this file even though grandma doesnt have a dog or a computer......

oh teh noes

This seems like something that could happen to any OS not just windows, whenever a "User" has to be involved in the attack it seems like it's the Users fault more than anything.

If I lock my car doors but leave the window open and someone steals my car, I don't complain to the car manufacturer for their lack of security options. This is what this hack seems like to me.

When a user has to be involved in the attack I find it to be far less of an issue than if someone can simply find my machine and take control of it without my interaction at all.

Lets play a game where I give you any combination of any number of executables, applications, programs, scripts, batch files, binaries, etc, and for every single one, you have to authenticate and run with admin/root privledges. What OS wouldn't be compromised?

I love all these reports whining and crying about UAC. Face the facts, UAC *IS* good for Vista and UAC *IS* here to stay.

It's ridiculous that these so called "demostrations" are happening where a user has to go through unbelieveable measures just to bypass UAC and even if they do that, their a/v,spyware,malware software will take the next step in stopping it.

But yeah, if some idiot is on a "default" Vista install which would essentially require someone to install it and then as soon as it boots for the first time, play this "pac-man" game before taking the necessary precautions. Not going to happen.

oh COME ON! login using root in linux and then run a program to let it open a backdoor and let a hacker in..
lets see how secure linux is then...this is just plain old stupid.. How can an OS determine if the program the user is running is what the user wanted or is doing something the user did not want. An OS just obeys commands, it isn't like we're building AI into these OS's ...

Exactly, any useable computer will be 'hackable' unless it is running some kind of AI that can make human level decisions by itself, which no current computer ever could. The alternative is to make it so the user can't change/delete/execute files, which would make it a TV or Radio or Box, not a computer.

If you are running a hardened linux box, even root will be prevented from screwing the system by running some random program.

ichi said,
If you are running a hardened linux box, even root will be prevented from screwing the system by running some random program.

What do you mean by hardened, that is ambigious. If you mean all users are user mode and there is no root, you could disable uac and delete admin accounts from windows as well. So what's the difference, then again, I am assuming a general definition of hardened, it may be that you meant some encryption or specialized hardware, but there's no reason windows can't do the same. I need to know what you mean though, assuming you weren't repeating phrases you don't understand.

"Security experts" in MS are SOOOOOO stupid and awful psychologists. :mad:

"User interaction required" is just an marketing excuse. "User is guilty, we are not!". It sounds stupid. "Trojan horse" - ancient way to compromise security and cannot be ignored. Even experienced "Administrator" often can't say about "trojan" existence in some software.

But GENERAL purpose of "security tools" is to PROTECT USER, even if user trying to do some dangerous things. "Tool" must protect system from ANY attempt to compromise even caused by "user interaction".

Yes, it's extremely difficult task to identify "bad action". Just don't call your system "most secure ever", just be honest.

You don't undestand what you are talking about and you are wasting people's time reading and replying to your stupid bs. If a computer user can't read/change/execute files, it's not a computer system. Computers by definition are hackable. Otherwise, it'd be a TV or a Radio, which usually is not hackable. All the OS can do is ask if you want to change files, but user changes own files too frequently for this to be desirable so instead it just asks when user tries to change system or installed program files. This can be disabled so the user gets a denied message everytime, otherwise the user has selected to do a query/response for such operations and must answer appropiately, vista works as designed, the design is sound, unless you can prove otherwise. Saying it sucks is not proof, it's a subjective pseudo-opinion, not even a real opinion because it's not really possible for someone to rationally believe something is wrong without an idea of how it could be better and you had no such idea, so you're just trying to sound smart in front of some strangers, in short, get a clue.

J_R_G said,
You don't undestand what you are talking about and you are wasting people's time reading and replying to your stupid bs. If a computer user can't read/change/execute files, it's not a computer system. Computers by definition are hackable. Otherwise, it'd be a TV or a Radio, which usually is not hackable. All the OS can do is ask if you want to change files, but user changes own files too frequently for this to be desirable so instead it just asks when user tries to change system or installed program files. This can be disabled so the user gets a denied message everytime, otherwise the user has selected to do a query/response for such operations and must answer appropiately, vista works as designed, the design is sound, unless you can prove otherwise. Saying it sucks is not proof, it's a subjective pseudo-opinion, not even a real opinion because it's not really possible for someone to rationally believe something is wrong without an idea of how it could be better and you had no such idea, so you're just trying to sound smart in front of some strangers, in short, get a clue.

Let's keep this civil.

Anyone remember when a 'Hacker' was a guy who hacked programs together...Why the widespread adoption of this word as the meaning of 'Cracker'?, which is the correct term for it.

I remember! It was about the same time as when people didn't whine about whether people used the term hacker or cracker. The general population really doesn't care. Oh, and really, despite your obvious feelings to the contrary, you don't appear smarter for trying to make it an issue.

Wow.. So, a exe that doesnt require Admin access runs a exe that does and a UAC prompt comes up.. Sounds like a real bad hack to me.. Wait, you still have to click the UAC prompt to let the process have admin rights... Sound like UAC is working just like it should..

if people are still running as administrator and carellesly click on every uac prompt there is nothing that can save them. These are the kind of people that would sudo a program on linux just because it asks them to do so

Eweek does this sort of thing "all the time".
They get someone from a security firm, etc. (NPD, Yankee Group, Gartner,etc.) to say something then build it up out of all proportions.
And then it is a MAJOR STORY !
Crap ! .... This is how to make a "Mountain out of a Mole Hill" !!
I feel that all of this is to put people off Vista.

Yes but you would have to be really stupid to let it "run" in the first place wouldn't you ?
I always have "adwatch" running on "Ad-aware" and this sort of thing would not happen on my system.

Caveman-ugh said,
Yes but you would have to be really stupid to let it "run" in the first place wouldn't you ?

You obviously haven't met 99% of computer users.

8-n-1 said,

You obviously haven't met 99% of computer users.

How is MS supposed to fix it, nobody ever mentions that part in their completely intelligent, unbiased and sound analysis of how 'uac sux'. Who does it right? If users can't click no for a trojan, they can't use sudo to run the program if its legit for sure. Did this simple fact escape you, or are you intentionally being obtuse? And even if they could figure out sudo, (uac yes/no too hard, command line permission granter easy enough for anybody according to ms bashers, ya ok morons, good logic) which really ain't that hard, they'd just grant permission to execute as root any program that asked for it same as UAC. I feel like I am talking technological aspects of computers to special ed kids..

8-n-1 said,

You obviously haven't met 99% of computer users.

If it was infact 99%, which it isn't, you would be including a lot of companies that have top notch security and you would be including a lot of smart users. The number is more likely around the 60% mark.

Caveman-ugh said,
When a "hack" not a hack ??
When the user has to comprise his own system !!
Typical of eweek to spread this sort of garbage !

It IS a hack because all it takes is for some program to include this program as a piggy-back. Say, for instance, that the site for Adaware is hacked and the download is replaced with an infected one. Then everyone who installs Adaware is susceptible to this infection. Its a trojan horse, people. Still a hack.

Robgig1088 said,

It IS a hack because all it takes is for some program to include this program as a piggy-back. Say, for instance, that the site for Adaware is hacked and the download is replaced with an infected one. Then everyone who installs Adaware is susceptible to this infection. Its a trojan horse, people. Still a hack.

Yeah, but the 2nd payload still requires a UAC prompt. IMO, it'd be very suspicious if a program that doesn't require priviledges suddenly needs one. In his blog, the researcher said that it isn't a big deal and most users would just click allow without noticing the difference. He gives WOW.exe as an example as sometimes this executable triggers the UAC and sometimes it doesn't, because of update patches. I don't have WoW installed but for firefox the UAC only triggers when I actually do the updating and it doesn't trigger when I launch the program. So, in the end, it requires a second user mistake which he really glossed over, which is that the user gives an elevation to a program that originally does not need one. Thus, it's a matter of judgement from the user. Would an executable that suddenly requires admin priviledges ring alarm bells? If so, it is only a matter of checking that your shortcut has not been changed by the 1st malicious program.

yeah, if something is already compromised, especially by negligence on the part of the user, of course its going to be easier to break apart. i have my beefs with microsoft, but the title is very misleading and not very fair...2 steps indeed.

Please stop this "hack" madness before 30 year old mothers go around saying "Hey, I hacked my computer today!", and try to gain geek cred.

Rolith, I hope you're joking about noobs and their user initiated 'hacks' cuz otherwise you ain't too bright there..

"how to get around UAC in two parts"

1) Get around UAC somehow magically

2) have a hack that disables UAC in the future... that is...call the WINDOWS FEATURE THAT ALLOWS YOU TO DO THIS.

Nose, do you do this with your mechanic and doctor too? Talk about the field with little idea what you are saying? Anyway, You can't have your cake and eat it too, any OS that runs code and allows the user to read/change/execute his files is hackable, by definition, or it's not a computer with a user. Admin just makes it sweeter for the malicious code writer, running stuff from the internet eases entry. These are parts of reality and cannot be avoided in the current computer paradigm, plain and simple.

"In fact, at this point, the user must be part of the local administrator's group or provide administrator credentials at the UAC prompt."

Yeah, real nice "hack" guys...

FTFA:
"With this in mind, it is important to note that user interaction is required for the initial infection of the Trojan to occur. The user must open the attacker's malicious executable. Furthermore, the successive social engineering attempt will only be successful if the user inadvertently clicks on the malicious shortcut. In fact, at this point, the user must be part of the local administrator's group or provide administrator credentials at the UAC prompt."

yeah thats all good and well. but a VERY high % normal users use Admin accounts because the idea of loging out and loging back in to install an app is simply ridiculous. furthermore, its not exactly difficult to get an unsuspecting end-user to download a .exe they think is a game and run it once. its even easier to pilfer the p2p networks with '<popular song title here>.mp3.exe' and watch the chaos ensue.

Nose Nuggets said,
yeah thats all good and well. but a VERY high % normal users use Admin accounts because the idea of loging out and loging back in to install an app is simply ridiculous.

This is Vista that's being talked about, not XP...

IGx89 said,

This is Vista that's being talked about, not XP...

Lots of people logs in as admin in vista.
And for a single user computer, principally if used by an IT professional, there is really no reason to use other user.

Of course UAC passes FAR away from my pc, since they put it on the 1st beta it appeared.

You don't have to log in/out as admin to install something on Vista. You can just grant the program Admin level security and it'll install on that even if you're not logged in as an Admin account.

cardg said,

Lots of people logs in as admin in vista.
And for a single user computer, principally if used by an IT professional, there is really no reason to use other user.

Of course UAC passes FAR away from my pc, since they put it on the 1st beta it appeared.

The default user created under Vista is not an Admin account like XP. And even when you login as Admin, you're not really admin, you're one level below, or something like that.

GP007 said,

The default user created under Vista is not an Admin account like XP. And even when you login as Admin, you're not really admin, you're one level below, or something like that.

You're admin with low user priveleges until you OK admin only actions, it's actually very good security for people who want to work as admins or have to because of hardheaded and lazy developers, and it's a way of highly motivating developers to make user mode only programs since UAC allows the program to run possibly but also
aggrivates the user somewhat, eventually all programs will be user mode if possible and not throw up uac prompts
to be more competitive than apps that have the same functionality but do not aggrivate the user with unnecessary uac prompts, which will increase security for everyone by insuring that every admin level activity is probably not supposed to happen unless the user really needed it and initiated it himself. Well, you get the idea.