Defeating UAC with a two-stage malware attack

An independent security researcher has released details on a two-stage malware attack against Windows Vista to show how easy it is for non-privileged code to replace shortcuts on the Start Menu and intercept UAC (User Account Control) privilege elevation prompts.

Rob Paveza's proof-of-concept (.pdf) uses a regular Trojan horse program as a "proxy infection tool" that does not prompt for a UAC roadblock warning because it doesn't make any suspicious system changes.

This tool then becomes a crucial part of the second stage of the attack. Symantec's Ron Bowes explains the basic outline of Pavesa's theoretical attack:

The attack the researcher outlines involves the construction of the Start menu. A user's Start menu is built from at least two locations. One is the user's Start menu folder and the other is global. These two locations are merged to create the Start menu that the user sees. If the same shortcut exists in both the user's folder and the global folder, the user's is used.

The proxy infection tool, which is run by the user, writes to the user's Start menu folder and reads from the global Start menu folder without requesting elevated permissions. The program searches the global Start menu folder for all programs that require elevation, and creates duplicates in the user's folder that point to the malicious code. This is the second stage of the attack.

When the user attempts to run a program that has been duplicated, they see a UAC prompt. Because the program already required elevated permission, the user wouldn't be alarmed. The malicious program, with elevated privileges, executes the intended program, fooling the user into thinking everything is normal. Meanwhile, the malicious program can clean up any trace that it had piggy-backed, and install itself somewhere with permanently-elevated privileges.

Dennis Fisher believes this "has the potential to cause serious damage if it’s executed successfully."

In his research paper, Paveza argues that the design of the Windows user interface does not provide a viable solution to this exploit but he is recommending a few changes to the UAC mechanism to give the end user a clue about these types of attacks.

Some of Paveza's suggestions:

• A fifth UAC dialog box could be introduced, alerting the user if the shortcut was started from the user’s Start Menu list rather than the All Users list, and if the executable in question is in a non-UAC-protected location.
• A fifth UAC dialog box could be introduced, alerting the user to unique circumstances each time an unsigned executable is started with administrative privileges for the first time. This would alert the user to the unusual situation, particularly if an application which has been run as an administrator consistently in the past (such as games that require updates) suddenly display the new dialog.
• The Start Menu could display both Start Menu entries, which would likely be seen as unusual by the user.
• Disable reads from UAC-protected areas by applications that do not exist in the same protected path (so that applications that do not run from c:\Program Files could not read within c:\Program Files by default).
• Disable .NET Framework compilation in non-elevated processes by default, although this would not protect from similar attacks made from other languages, such as C, and could present difficulty for some applications which utilize dynamic compilation for extensibility.

While I was reading this paper, which is purely theoretical, I was reminded of a talk by Microsoft technical fellow Mark Russinovich at the CanSecWest security conference last month where he stressed that malware authors will evolve to do damage on Vista (even with UAC enabled).

This new research is just one example of the kinds of things we'll be seeing in a Vista world.

Also see this excellent Channel 9 interview with Russinovich (.wmv) where he talks about UAC and the other security technologies that make Vista Microsoft's most secure OS ever.