A new User Access Control (UAC) bypass technique relies on altering Windows registry app paths and using the Backup and Restore utility to load malicious code without any security warning.
The technique revolves around the notion of "auto-elevation," which is a state that Microsoft assigns to various trusted binaries.
For example, the Task Manager binary is an auto-elevated file because it's created and digitally signed by Microsoft, and is also housed in a trusted file location, under C:\Windows\system32.
This means that despite the UAC security level, launching Task Manager doesn't show a UAC window. Similarly, there are tens of other binaries that feature Auto-Elevation settings in their manifest files.
In a recent search for new UAC bypass techniques, security researcher Matt Nelson has explored if he could use auto-elevation to load other binaries than those approved by Microsoft.
The researcher says he found a loophole with the sdclt.exe binary, which is the built-in Backup and Restore utility introduced with Windows 7.
Nelson says that when users launch this utility, the sdclt.exe file uses the control.exe (Control Panel) binary to load the Backup and Restore control panel settings page.
But before loading control.exe, sdclt.exe performs a query to the local Windows Registry to get control.exe's app path, which normally is:
According to Nelson, this is a problem as low-privileged users are free to alter registry keys, including for control.exe. This means an attacker can modify this registry key pointing it to malware, and use the sdclt.exe binary to launch his malicious payload. Because sdclt.exe is auto-elevated, Windows would trust the app and suppress all UAC prompts.
According to Nelson, this technique only works in Windows 10, and not earlier OS versions, and was tested with Windows 10 build 15031. A proof-of-concept script is available on GitHub. Nelson also makes the following recommendations.
This particular technique can be remediated or fixed by setting the UAC level to “Always Notify” or by removing the current user from the Local Administrators group. Further, if you would like to monitor for this attack, you could utilize methods/signatures to look for and alert on new registry entries in HKCU\Microsoft\Windows\CurrentVersion\App Paths\Control.exe.
Nelson and another researcher, Matt Graeber, have previously found two other UAC bypass techniques, one that abuses the Windows Event Viewer, and one that relies on the Windows 10 Disk Cleanup utility.