ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Security hole in Windows kernel allows UAC bypass

By | November 29, 2010, 9:54am PST

Summary: A privilege escalation vulnerability in the Windows kernel can be exploited to bypass Microsoft’s UAC (user account control) security mechanism

A privilege escalation vulnerability in the Windows kernel can be exploited to bypass Microsoft’s UAC (user account control) security mechanism, according to a warning from a security researcher.

Proof-of-concept exploit code has been published on the Web.  Microsoft says it is investigating the issue.

This Secunia advisory spells out the problem:follow Ryan Naraine on twitter

A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges.

The vulnerability is caused due to an error in win32k.sys when processing the “GreEnableEUDC()” function. This can be exploited to overflow the “EntryContext” buffer specified in the “QueryTable” parameter to the “RtlQueryRegistryValues()” function via e.g. a specially crafted “SystemDefaultEUDCFont” registry value.

Successful exploitation allows execution of arbitrary code in the kernel.

The published proof-of-concept successfully bypasses the UAC security mechanism on Windows but the severity is somewhat reduced because a hacker must combine two security vulnerabilities (and exploits) to launch a successful attack.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Security Hole, Vulnerability, Kernel, Microsoft Windows, Security, Operating Systems, Software, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
49
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Security hole in Windows kernel allows UAC bypass
lovedong 13th Sep
Haha, thanks! happy rolex watches
View in thread
0 Votes
+ -
According to the rules, this one is no big deal
NonZealot 29th Nov 2010
which can be exploited by malicious, local users

The rules clearly state that local vulnerabilities are no big deal, at least when they are found in OS X and Linux.

Cue the double standards...
0 Votes
+ -
The article does not show a double standard applied...
BubbaJones_ Updated - 29th Nov 2010
@NonZealot
Your comment "The rules clearly state that local vulnerabilities are no big deal...", I have never read that rule however, I will agree with you local vulnerabilities are not a big deal. Reading in that article I do not read where it states it does or does not apply to other OSes.

As usual you are just starting another fight. Do you have anything of substance to contribute to the article or discussion? Hum, does not appear as though you do.
0 Votes
+ -
He mentioned other operating systems for reference purposes.
ye 29th Nov 2010
@RicD_: The fact other operating systems are not mentioned is irrelevant.
  • Flagged
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
Jimster480 29th Nov 2010
@RicD_ Because when things like this are shown in MAC OS or Linux the fanboys blow it off.
  • Flagged
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
ahh so 30th Nov 2010
@RicD_ Because when things like this are shown in MAC OS or Linux the fanboys blow it off.

What do you care if it gets "blown off" or not. You don't even use OSX or Linux so so-what.
  • Flagged
0 Votes
+ -
Also there is no actual exploit code. Just proof of concept.
ye 29th Nov 2010
@NonZealot: nt
0 Votes
+ -
Agreed: No big deal
Dietrich T. Schmitz, ~ Your Linux Advocate 29th Nov 2010
@NonZealot
nt
0 Votes
+ -
It's hilarious how you play the cue the double standards schtick
frgough 29th Nov 2010
as first post on a thread.
0 Votes
+ -
Do you know what the word "cue" means?
NonZealot 29th Nov 2010
@frgough
Obviously you don't.

Hint: a cue happens before the event it is a cue for. Hence, my post makes perfect sense as the first post.

Is English not your first language? Just curious because it is either that or you aren't very smart.
  • Flagged
0 Votes
+ -
Yes, he did have to trout out Apple and Linux...
ahh so 30th Nov 2010
...when he knew his cue schtick didn't have a pot to pi$$ over this windoze kernel issue.

Just blame Apple for the UAC security hole bypass. It's all Steve Jobs fault.

lol... grin
  • Flagged
0 Votes
+ -
True, windows has a bad record for privilege escalation
Richard Flude 29th Nov 2010
Surely local vulnerabilities are a big issue for desktop OSes. Particularly those with a history of massive amounts of malware.

Or is NonZealot saying this is a real problem for windows users?
0 Votes
+ -
Any evidence to support this?
ye 29th Nov 2010
@Richard Flude: True, windows has a bad record for privilege escalation

Or are you expecting us to take you at your word?

Particularly those with a history of massive amounts of malware.

Massive market share leads to massive amounts of malware.
0 Votes
+ -
Yes, Ye
Richard Flude 29th Nov 2010
Privilege escalation recorded by secunia win7 (11), vista (24). Before that no effective protection from largest attack vector - shatter attacks (crippled windows event messaging)

If market share is the determinant for amount of malware, then the solution on windows would only be sell fewer or move to alternate OS. Ye might have a point.
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
cosuna 29th Nov 2010
@ye: "massive market share leads to massive amounts of malware", so that would mean that the 70% linux market on cellphones would create a massive amount of malware. So far, I have only seen proof-of-concepts for android and none for the other linux variaties.

Quit using that MS none sense. Mainframes had a massive marketshare of the market on the 60's and until today, no successfull virus has appeared on that market. Unix had a smaller market share and essentially created the first worms.
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
bobiroc 30th Nov 2010
@cosuna

Big difference in a Cell Phone OS and a Desktop OS you do realize that right. Just because Android is based of Linux does not mean it is the same kernel as the desktop version. It is just like iOS is based off Mac OS.

Nice attempt though.
  • Flagged
0 Votes
+ -
Wow you really do like living in the past.
ye Updated - 30th Nov 2010
@Richard Flude: DLL hell, shatter attacks, etc. What's next? IRQ and COM port conflicts? You're really, really desperate aren't you?

If market share is the determinant for amount of malware, then the solution on windows would only be sell fewer or move to alternate OS.

That's a possibility if your intent is to use a platform which is not targetted by malware.
  • Flagged
0 Votes
+ -
Ye, the past is clearly longer than the MCSEs attention span
Richard Flude 30th Nov 2010
I blame the duration system failing our youth.

Still today rhe majority of wondows users are exposed to shatter attacks (XP). You'd think the learned MCSE would know this.

For fun, what portion of desktop users are intent on using a platform targeted by malware?
0 Votes
+ -
There's those words again. Did you just learn something new?
ye 30th Nov 2010
@Richard Flude: ll today rhe majority of wondows users are exposed to shatter attacks (XP).

Shatter attacks are old news. Perhaps they're new to you? Come join us in 2010. You'll notice much has changed.
  • Flagged
0 Votes
+ -
Given XP is still at what?
ahh so 30th Nov 2010
Around 60% usage at the moment?

That makes shatter attacks still relevant news.

Come up with something better, ye. You got NonZealot beat.
  • Flagged
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
cosuna 29th Nov 2010
@NonZealot : local user means you and any body else using the system. That is, this is not a fly-by, but can easily be attached to a fake "setup.exe" file which will not prompt the user for priviledges when runned. Simple example. You could create a simple *.exe file running a demo flash and with out the user knowledge (he depends on UAC for security) code could create a trojan o plant a virus.

Then again... people always state that the reason for moving to Windows 7 was security... yeah right... XP we know dearly and IT Admins no how to block all entrances. 7 is brand new and prone to this kinds of mistakes.
0 Votes
+ -
They depend on unprivileged rights for security.
ye 30th Nov 2010
@cosuna: Simple example. You could create a simple *.exe file running a demo flash and with out the user knowledge (he depends on UAC for security) code could create a trojan o plant a virus.

UAC merely provides an easy means to elevate from unprivileged to privileged credentials. This vulnerability, as already mentioned, exists in Windows XP which has no concept of UAC. It allows for the elevation of rights from unprivileged to privileged. This is nothing related to UAC nor is the vulnerability unique to Windows.
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
nickdangerthirdi@... 3rd Dec 2010
@NonZealot Zealot - an immoderate, fanatical, or extremely zealous adherent to a cause, esp a religious one. your name is a misnomer, makes you look silly when you make posts like this, not sure if you knew what a zealot was, because you absolutely are one. No one ever said M$ wasnt going to fix it, and for the most part everyone agrees with you that its not a huge deal, even though you are a jerk about it. You make your ignorance about other operating systems painfully clear when you say things like this, as for me, I do hold M$ and Apple to a higher standard than linux, for 1 thing I paid for crap, they better fix it and make it right. (unfortunately apple has let me down on every front, so they dont even get to play in my environment) even though I probably get just as many udpates on my linux box as I do on my windows machines, and not all those updates are for new features, lots of times those updates also address security concerns and I just downloaded it off the internet for free. So to compare a corporate giant like M$ to a community project like linux, is like comparing a bugatti veyron with a Volkswagen beetle, sure, the beetle is nice, and it runs good, but I paid a million dollars for the veyron, I expect it to be the best. Unfortunately that doesnt always hold true in the real world.
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
lovedong 13th Sep
Haha, thanks! happy rolex watches
0 Votes
+ -
This doesn't appear to have anything to do with UAC.
ye 29th Nov 2010
At least not that I can find. Though information is very limited at this time.
0 Votes
+ -
Not even an issue
Joe_Raby 29th Nov 2010
A local malicious user has to bypass UAC, in order to bypass UAC?

This is a non-event.

As is usual, this carries a usual warning of "don't let untrusted users use the computer" and "only run trusted software" - required for any computer system, regardless of platform.

Yawn!

"Provided and/or discovered by
*noobpwnftw*"

Another script kiddie looking for hacker street cred....
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
Michael Kelly 29th Nov 2010
@Joe_Raby

The problem is that even some trusted users can't always be trusted. NZ's comment is nice for giggles and it points out the hypocrisy in criticizing one company versus another, but if this exploit does what it says it does, this is a very serious issue. This isn't server room hardware we are talking about here, this is desktop and laptop hardware, and that is generally left out in the open. All an attacker has to do is quickly set himself up a password and remote access, and that can be done in under a minute (less than the time it takes to grab a cup of coffee), and do the rest at his leisure.
0 Votes
+ -
This is why unattended systems should be password protected.
ye 29th Nov 2010
@Michael Kelly: The real issue is around Kiosk types of systems such as those found in libraries. But then privilege esclation vulnerabilities are found in all general purpose operating systems.
0 Votes
+ -
Someone has to set the user up
Joe_Raby 29th Nov 2010
@Michael Kelly

An untrusted user shouldn't be allowed to set up a user account for themselves - only trusted people should. Likewise, untrusted software should be blocked. This is not a major concern for any typical IT setup. Also, this still doesn't affect domain credentials, so even kiosk setups shouldn't be affected (who sets up kiosk systems with local storage anyway?).

Also, you forget that at least one of the two security flaws that they have to exploit already has a patch available for it.

Again, I back up my claim: this isn't a big security risk if systems are managed correctly. This is like enterprises that run IE6 because of web app compatibility - if Internet access is managed correctly, IE6's lack of security is a non-issue. After all, you can eliminate a huge amount of attack vectors by blocking user downloads, and eliminating access to P2P websites and sites like Facebook. Only allowing corporate Java applets is another good option.
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
Martmarty 29th Nov 2010
@Joe_Raby, "This is a non-event."

True. The report looks erroneous.

SystemDefaultEUDCFont registry value sounds like a value that can be modified by admins only.
I wonder how can one change this registry value and load his preferred "malicious font" without admin privilege on the first place.

Also, the secunia site included XP Home and XP Pro in the OS list, when I think UAC is not present in both.
0 Votes
+ -
Registry thing
Joe_Raby 29th Nov 2010
@Martmarty

The registry part was just an example of one way of exploiting the flaw, but not the only way. You are correct about modifying registry keys without admin privileges though.

And yes, I did see the thing about XP, but it's not just about UAC - it's about getting user privilege escalation, so on XP you don't have to work around UAC to get admin rights.

Microsoft has this term: Defense-in-depth. It encompasses multiple layers of security in a computing environment. One single method isn't foolproof. Not sandboxing, not ASLR, not antimalware, not a firewall, not security patches, not UAC, not kernel checks, not managed authentication, etc. However, all of them combined provides a much more secure level of computing that no single method can provide, and it's the responsibility of every OS vendor to provide as many layers as possible.
0 Votes
+ -
This doesn't appear to have anything to do with UAC.
ye 29th Nov 2010
@Martmarty: Also, the secunia site included XP Home and XP Pro in the OS list, when I think UAC is not present in both.

It sounds just like any other privilege escalation vulnerability.
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
Michael Kelly 30th Nov 2010
@ye

So it's just what this article suggests, it allows one to bypass UAC. Meaning it allows one to escalate without using UAC, so UAC never comes into the picture. Correct?

If correct, then it's still a bad thing. It just means there is no reason to scrap UAC.
0 Votes
+ -
That appears to be the case from the limited information we have.
ye 30th Nov 2010
@Michael Kelly: So it's just what this article suggests, it allows one to bypass UAC. Meaning it allows one to escalate without using UAC, so UAC never comes into the picture. Correct?

UAC allows the user to easily elevate credentials. It does not protect resources. This appears to be a privilege escalation vulnerability which has nothing to do with UAC, at least from the limited information we have. I think it's wrong for the author to have even mentioned UAC. The Secunia advisory doesn't even mention UAC and, as noted by someone else, it also affects Windows XP which has no concept of UAC.

If correct, then it's still a bad thing. It just means there is no reason to scrap UAC.

It is a bad thing. And it needs to be corrected. However it's nothing specific to UAC and the type of vulnerability is not unique to Windows.
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
Loverock Davidson 29th Nov 2010
Microsoft security must really be working well if the exploiters need to combine exploits just to get into the system. The last set of exploits were a combination of something like 5 different exploits before gaining any privileges. Since this only affects local users and most computers only have a single user it will be extremely hard to exploit. This exploit is worthless.
0 Votes
+ -
Hey look, it's LD! A celebrity everybody!
Dietrich T. Schmitz, ~ Your Linux Advocate 29th Nov 2010
@Loverock Davidson
nt
0 Votes
+ -
Hey look, it's DTSYLA!
Joe_Raby 29th Nov 2010
*crickets*
0 Votes
+ -
Well, he *is* a celebrity you know.
Dietrich T. Schmitz, ~ Your Linux Advocate 29th Nov 2010
@Joe_Raby
Maybe he'll let everybody know who he is all on his own.
How about it LD?
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
maskman01 30th Nov 2010
@Dietrich T. Schmitz, Your Linux Advocate

Never heard of him. He's just a nobody.

Like that guy on the street corner begging for change and screaming about the establishment.
0 Votes
+ -
@maskman01
Joe_Raby 30th Nov 2010
"Like that guy on the street corner begging for change and screaming about the establishment. "

Oh, so you've met DTS already....
0 Votes
+ -
Huh?
ahh so Updated - 30th Nov 2010
Microsoft security must really be working well if the exploiters need to combine exploits just to get into the system. The last set of exploits were a combination of something like 5 different exploits before gaining any privileges. Since this only affects local users and most computers only have a single user it will be extremely hard to exploit. This exploit is worthless.

Huh?

What was that?

Lovey Dovey, did you leave home without your safety helmet today?

LOL.... grin
  • Flagged
0 Votes
+ -
Wow you folks are quick
Alan Smithie 29th Nov 2010
This info was around last week
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
shellcodes_coder 29th Nov 2010
local users!
0 Votes
+ -
So let me get this straight
bobiroc 30th Nov 2010
The prompt for admin credentials comes up right? The user has to physically acknowledge that right? If the root Administrator account and the 1st User Admin account are password protected as they should be this should be a minimal issue correct?

Just making sure I am reading this correctly because it sound like something similar can happen on other OSes if the user accepts the prompt for admin credentials.
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
Martmarty 30th Nov 2010
@bobiroc, i think the pic above is for illustration purposes only, and has nothing to do with the published exploit.

the released binary was on console mode (command prompt), and will escalate any standard/limited user into a system privilege which is higher than admin.

http://www.kb.cert.org/vuls/id/529673

the exploit has nothing to do with all admin accounts in your PC, it will just convert the currently logged limited user into an admin (system privilege to be precise).

like most companies, if you have an office laptop with very limited privilege, (ie cannot install anything, cannot modify settings) then the exploit will remove all those limitations.

i think MS needs to release a patch for ntdll.dll and GDI32.dll to fix this
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
bobiroc 30th Nov 2010
@Martmarty

Well than the article is misleading or maybe I misread it. Thanks for the link.

I am sure MS will release a Patch and hopefully soon. No Operating System/Software is infallible as I am pretty sure similar exploits have been found in other OSes that auto-elevate to admin without the user's knowledge and patches have been released to fix.
0 Votes
+ -
Buffer Overflow???
mckintim 30th Nov 2010
If all of these bugs are caused by buffer overflows, and given buffer overflows are bad, then why can't buffer overflows be rendered useless instead of providing elevated privileges? (Just saying)

Also, what does "escalated privileges" mean? (from excerpt) Talk about improper word usage.
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
kynth@... 30th Nov 2010
The OS of most Mainframes is/are UNIX or a variant of UNIX
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
robertoberhoff 30th Nov 2010
UAC always been issue since Vista .no suprise there must of went to windows 7 too
0 Votes
+ -
RE: Security hole in Windows kernel allows UAC bypass
Rndmacts 4th Dec 2010
How disingenious the article comes out as this is a critical flaw and then the last sentence gives the kicker "Windows but the severity is somewhat reduced because a hacker must combine two security vulnerabilities (and exploits) to launch a successful attack." And is it responsible reporting to actually detail the exploit, why not just post the code. What moronic reporting.

Do the world a favor report the news accurately and quit trying to spin it like Chicken Little, the sky is not following and millions of computers aren't going to be turned into zombies.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix