One of the security features in Vista that has gotten a lot of attention is User Account Control (UAC), but not necessarily for the reasons that Microsoft officials might have been hoping for. UAC was the subject of one of those clever Mac and PC commercials that Apple is running and now a researcher named Rob Paveza has released a new paper outlining a technique for bypassing UAC by abusing the shortcuts in the Vista Start menu. The attack is fairly simple, but has the potential to cause serious damage if it’s executed successfully.
In general terms, the attack works like this: The attacker somehow entices the target user to download a Trojan, either via an infected email message or through a malicious Web site. Once installed, the Trojan drops a piece of software the author calls the proxy infection tool, which then writes some malicious code to a location in the user’s Start menu folder. It then looks for a shortcut that is a good candidate for replacement, i.e., one that does not lead to a signed executable. Once it finds a suitable shortcut, it compiles a new executable stub that will launch both the original intended program and the malware and replaces the Start menu shortcut with a new one. Once the user launches that shortcut, the malware checks to see if the user has administrator privileges. If so, the malware launches.
When the program attempts to execute, the user will see one of the UAC prompts, asking whether the user wants to proceed and listing the name of the executable. Because the proxy infection tool has replaced a program that already has elevated privileges, the user should recognize the name and allow the program to run. Ideally, the malware then executes the original program that the user thought he was running, as well as the malicious program, and it’s off and running. Clever, eh?
The folks at Symantec have a good analysis of the technique on their blog.