Security Bytes

May 15 2007   2:08PM GMT

How to bypass Vista UAC in two easy steps

David Schneier David Schneier Profile: David Schneier

One of the security features in Vista that has gotten a lot of attention is User Account Control (UAC), but not necessarily for the reasons that Microsoft officials might have been hoping for. UAC was the subject of one of those clever Mac and PC commercials that Apple is running and now a researcher named Rob Paveza has released a new paper outlining a technique for bypassing UAC by abusing the shortcuts in the Vista Start menu. The attack is fairly simple, but has the potential to cause serious damage if it’s executed successfully.

In general terms, the attack works like this: The attacker somehow entices the target user to download a Trojan, either via an infected email message or through a malicious Web site. Once installed, the Trojan drops a piece of software the author calls the proxy infection tool, which then writes some malicious code to a location in the user’s Start menu folder. It then looks for a shortcut that is a good candidate for replacement, i.e., one that does not lead to a signed executable. Once it finds a suitable shortcut, it compiles a new executable stub that will launch both the original intended program and the malware and replaces the Start menu shortcut with a new one. Once the user launches that shortcut, the malware checks to see if the user has administrator privileges. If so, the malware launches.

When the program attempts to execute, the user will see one of the UAC prompts, asking whether the user wants to proceed and listing the name of the executable. Because the proxy infection tool has replaced a program that already has elevated privileges, the user should recognize the name and allow the program to run. Ideally, the malware then executes the original program that the user thought he was running, as well as the malicious program, and it’s off and running. Clever, eh?

The folks at Symantec have a good analysis of the technique on their blog.

Technorati Tags: , , ,

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: