Security researchers Matt Graeber and Matt Nelson have discovered a way to run a malicious DLL on Windows 10 without the User Account Control (UAC) springing into action and alerting users of the potential danger.
What is User Account Control (UAC)?
UAC is a technology that’s meant to improve the security of the OS by preventing software – or, more importantly, malware – to run with administrative privileges unless explicitly authorized to do so by the user.
How is the attack executed?
By modifying a default scheduled task (“SilentCleanup”) associated with the Disk Cleanup utility, they were able to trigger the running of a specially crafted DLL file without triggering UAC. That’s because SilentCleanup on Windows 10 is configured “to be launchable by unprivileged users but to run with elevated/high integrity privileges.”
The process (cleanmgr.exe) started by the task creates a new folder, and populates it with multiple DLLs and another process (dismhost.exe) that loads them in a specific order.
“Because the current medium integrity user has write access to the user’s %TEMP% directory, it is possible to hijack a DLL loaded by dismhost.exe and obtain code execution in a high integrity process,” the researchers noted.
They identified the last DLL (LogProvider.dll) loaded by dismhost.exe, then used a WMI event to monitor for the creation of the aforementioned folder and to exchange the legitimate LogProvider.dll with a malicious one created by them and given the same name.
The dismhost.exe loads the malicious DLL instead of the legitimate one, and UAC doesn’t spring into action. The result? Malicious code execution in a high integrity context.
Naturally, to do all that, the machine first has to be infected with malware that is capable of performing this attack. Graeber and Nelson have created a PoC PowerShell script that performs the attack.
What is Microsoft going to do about it?
Absolutely nothing. The researchers notified Microsoft about their research, and they pointed out that “UAC isn’t a security boundary, so this doesn’t classify as a security vulnerability.”
The researchers noted that it might not be a vulnerability, but it still allows an attacker to successfully compromise a Windows 10 machine. As more and more users are switching to the newest version of the OS, this should not be ignored.
Are there any mitigations available?
“This particular technique can be remediated or fixed by disabling the task or removing the requirement for running with highest privileges,” the researchers shared.
“Further, if you would like to monitor for this attack, you could utilize methods/signatures to look for new WMI events as it is required to monitor for new folder creation for this attack to succeed. Combining this with App/DLL whitelisting and monitoring for abnormal modules being loaded (e.g. Sysmon event ID 7) would also limit the success of such an attack.”