Novel Exploit Chain Enables Windows UAC Bypass

Researchers have flagged a weakness they're tracking as CVE-2024-6769, calling it a combination user access control (UAC) bypass/privilege escalation vulnerability in Windows. It could allow an authenticated attacker to obtain full system privileges, they warned.

That's according to Fortra, which assigned the issue a medium severity score of 6.7 out of 10 on the Common Vulnerability Scoring System (CVSS) scale. Its proof-of-concept exploit demonstrates that "you have the ability to shut down the system," stressed Tyler Reguly, associate director of security R&D at Fortra. "There are certain locations on the drive where you can write and delete files that you couldn't previously." That includes, for example, C:\Windows, so an attacker could take ownership over files owned by SYSTEM.

For its part, Microsoft acknowledged the research but said it does not consider this an actual vulnerability, because it falls under its concept of acceptability to have "non-robust" security boundaries.

Understanding Integrity Levels in Windows

To understand Fortra's findings, we have to go back to Windows Vista, when Microsoft introduced the model of Mandatory Integrity Control (MIC). Simply put, MIC assigned every user, process, and resource a level of access, called an integrity level. Low integrity levels were afforded to all, medium for authenticated users, high for administrators, and system for only the most sensitive and powerful.

Alongside those integrity levels came UAC, a security mechanism that runs most processes and applications at the medium level by default, and requires explicit permission for any actions that require greater privileges than that. Typically, an admin-level user can upgrade simply by right-clicking a command prompt and selecting "Run as Administrator."

By combining two exploit techniques, Fortra researchers demonstrated in their proof of concept how an already-authorized user could slither through this system, jumping across the security boundary imposed on the medium integrity level to obtain full administrative privileges, all without triggering UAC.

Using CVE-2024-6769 to Jump Across User Boundaries

To exploit CVE-2024-6769, an attacker first must have a foothold in a targeted system. This requires the medium integrity-level privileges of an average user, and the account from which the attack is triggered must belong to the system's administrative group (the type of account that could level up to admin privileges, if not for UAC being in its way).

The first step in the attack involves remapping the targeted system's root drive — such as "C:" — to a location under their control. This will also shift the "system32" folder, which many services rely on to load critical system files.

One such service is the CTF Loader, ctfmon.exe, which runs without administrator privileges at a high integrity level. If the attacker places a specially crafted, copycat DLL in the copycat system32 folder, ctfmon.exe will load it and execute the attacker's code at that high integrity level.

Next, if the attacker wishes to obtain full administrative privileges, they can poison the activation context cache, which Windows uses to load specific versions of libraries. To do this, they craft an entry in the cache pointing to a malicious version of a legitimate system DLL, contained in an attacker-generated folder. Through a specially crafted message to the Client/Server Runtime Subsystem (CSRSS) server, the fake file is loaded by a process that has administrator privileges, granting the attacker full control over the system.

Microsoft: Not a Vulnerability

Despite the potential for privilege escalation, Microsoft refused to accept the issue as a vulnerability. After Fortra reported it, the company responded by pointing to the "non-boundaries" section of the Microsoft Security Servicing Criteria for Windows, which outlines how "some Windows components and configurations are explicitly not intended to provide a robust security boundary." Under the pertinent "Administrator to Kernel" section, it reads:

Essentially, Reguly explains, "They see the admin-to-system boundary as a nonexistent boundary, because admin is trusted on a host." In other words, Microsoft doesn't consider CVE-2024-6769 a vulnerability if an admin user could ultimately perform the same system-level actions anyway, subject to UAC approval.

In a statement to Dark Reading, a Microsoft spokesperson highlighted that "The method requires membership in the Administrator group, so the so-called technique is just leveraging an intended permission or privilege which does not cross a security boundary."

Reguly and Fortra disagree with Microsoft's perspective. "When UAC was introduced, I think we were all sold on the idea that UAC was this great new security feature, and Microsoft has a history of fixing bypasses for security features," he says. "So if they're saying that this is a trust boundary that is acceptable to traverse, really what they're saying to me is that UAC is not a security feature. It's some sort of helpful mechanism, but it's not actually security related. I think it's a really strong philosophical difference."

Windows Shops Should Still Beware UAC Bypass Risk

Philosophical differences aside, Reguly stresses that businesses need to be aware of the risk in allowing lower-integrity admins to escalate their privileges to attain full system controls.

At the end of a CVE-2024-6769 exploit, an attacker would have full reign to manipulate or delete critical system files, upload malware, establish persistence, disable security features, access potentially sensitive data, and more.

"Thankfully, only administrators are impacted by this, which means that most of your standard users are unaffected," Fortra noted in an FAQ to reporters. "For administrators, it is important to ensure that you are not running binaries whose origins cannot be verified. For those admins, however, vigilance is the best defense at the moment."