Fileless UAC Bypass in Windows Store Binary

**Update** - 9/13/2019
Metasploit has added a module for the UAC Bypass in Windows! Most of Metasploit modules are built by community contributors for free (i. e. modules that are worth the effort to be included to make Metasploit users life easier). This UAC bypass was chosen due to the fact it a) does not require user interaction and b) it’s file-less (no dropping files on disk is needed). It’s common practice to give credit when its due when creating modules hence the reference to ACTIVELabs for the discovery. Find the module here.

**Update** - 5/23/2019
Please note Microsoft has released a behavioral detection for this attack vector in Windows Defender Antivirus with an alert level of “SEVERE."  We can confirm it works as expected. See the link here.
​
Based on the increased interest in User Account Control (UAC) bypass research as of late, we've decided to read more on the subject and attempt to identify some sort of a pattern which ultimately led to finding our first UAC (still valid as of this writing) bypass. The following is a walkthrough of said finding. Please note we will not discuss UAC internals as there are plenty of well-written posts out there. In addition, will be using Windows 10 Version 1803 (OS Build 17134.590) as an example.

The problematic binary is WSReset.exe, the Microsoft signed executable is used to reset Windows Store settings according to its manifest file but most importantly has “autoElevate” property set to true.

Now, let’s set Procmon64.exe with the following self-explanatory filters.

Running WSReset.exe (medium-integrity) shows the missing parameter for verb open under the HKEY_CLASSES_ROOT (HKCR) virtual registry hive which if found will be run in (high-integrity) context.

Now according to Microsoft documentation here there are two characteristics that we need to be aware of in regards to HKEY_CLASSES_ROOT (HKCR) virtual registry hive:

• On Windows 2000 and above, HKEY_CLASSES_ROOT (HKCR) is a compilation of user-based HKCU\Software\Classes and machine-based HKLM\Software\Classes.
• If a given value exists in both of the subkeys above, the one in HKCU\Software\Classes takes precedence.

The Component Object Model (COM) leverages HKEY_CLASSES_ROOT (HKCR) to maintain information about all of the COM objects installed on a computer, which allows for both per-user and per-machine object registration. In other words, the current user can write to HKEY_CURRENT_USER\Software\Classes (HKCU) which will effectively end up in HKEY_CLASSES_ROOT (HKCR) virtual registry hive. Here's the proof-of-concept code using PowerShell:

Invoke-WSResetBypass.ps1

And the obligatory demonstration of the attack:

​For what it's worth, we did report this to MSRC and received the following response:

Although we haven’t tested it ourselves, this particular technique can be remediated by setting the UAC level to “Always Notify” or taking away local administrative rights. We hope this post was worth your time and feel free to reach out at labs@activecyber.us if you have any questions.
 
Affected/tested Products

• Windows 10 Version 1803 OS Build 17134.590
• Windows 10 Version 1809 OS Build 17763.316

Disclosure Timeline

• 02-19-19: Report sent to MSRC
• 02-19-19: MSRC acknowledged report and case manager was assigned
• 02-26-19: Requested status update
• 02-27-19: MSRC responded the report is subpar, and the case will be closed out
• 03-14-19: Blog post released
• 05-23-19: Updated with Windows Defender Antivirus detection