Within Windows

AAHAHAHAHAH THE CAKE IS A LIE!
And good the “cheater” title for System Mandatory Level.

I hope that at default UAC will be set as highest level…

Uh-oh! That’s seriously big deal. And what can be the solution? Embed manifest checking into rundll32? Replace all rundll32 calls with separate signed exes?

I think this whole signing concept is flawed.

I don’t get how MS could mess up this bad. In Vista, doing ShellExecute(..”runas”,”rundll32.exe”,”foo.dll,bar”…) would display the UAC dialog with a “non safe” color, not the MS windows color at the top of the UAC dialog so they already knew they had to be careful with rundll32

The only way this is going to work is if there is a user controlled white list (with UAC popup to change this list ofcourse) In a fresh install, this list should only contain MS .cpl’s (excluding the one for configuring UAC)

@Dugbug

No-one’s saying that UAC will prevent you installing software such as Open Office. Leo Davidson’s point (I think!) is that given the user has no control over which components/applications are whitelisted, the playing field isn’t a level one. A 3rd party file manager will not be able to run in the same elevated/trusted fashion as Microsoft’s own file manager (Windows Explorer).

@Dugbug:

Windows never stopped anyone running Netscape either. That isn’t the only way things can be anti-competitive.

Having an operating system feature/API in place that gives features to multiple MS bundled applications but does not allow the same features (with the user’s permission where applicable) to 3rd party apps is anti-competitive, surely? How could it not be?

I am not arguing that MS should unbundle their apps or include other people’s. I’ve heard those arguments and I think they are silly. However, I do think that any OS feature with a bundled MS app can use should also be usable via 3rd party alternatives.

Does that not strike you as reasonable?

Although, as I say in my updated page, the anti-competitive nature of the whitelist doesn’t really matter as things are now because it’s so trivial for third party code to bypass UAC if the whitelist is enabled. The problem is that the user has no control over what is whitelisted if anything is whitelisted at all. So the security problem that Rafael has demonstrated so well is by far the greater issue. When (if) that is fixed the anti-competitive issue may still remain, unless MS do the right thing and let users control what is and isn’t whitelisted in addition to fixing the other security problems.

@Leo Davidson: Have you tested this? A process can not change elevation level, so Explorer must be using a child process or a elevated COM object, so injecting code would not help unless you scan all its memory and somehow find this COM object. If its a child process, I don’t see how process injection could work (And I would assume this elevated instance does its fileoperation without loading shell exstensions)

@Rafael: Agreed, but I wanted to make the point that closing the RunDll32/runas hole isn’t enough to solve the problem.

There are other easy ways to get other whitelisted medium-level apps to launch elevated code. RunDll32/runas is certainly the best example because it’s explicitly intended for launching code and obviously should not allow arbitrary code to launch elevated. Fixing that alone would only mean you’d need 50 lines of code to gain elevation instead of 5 lines. (Very approximate line numbers, of course.)

@asf: Explorer.exe is just one example but I have checked that it is non-elevated (“medium” level) and creates elevated COM objects (IFileOperation at least on Vista; don’t have my Win7 VM booted at the moment). It is whitelisted so there are no prompts when it creates those objects.

AFAIK there’s no protection on which objects it creates elevated (there certainly isn’t in the case of RunDll32 as Rafael’s proof shows).

You can get your own code into any application running at the same level using the debug APIs. Essentially you copy the code into the other processes memory and then start a thread from that point. Your code is now running within a whitelisted process and can create elevated COM objects (or perform other UAC elevation actions) without prompting.

In theory, that is. I haven’t written a proof of concept for this like Rafael has done for the RunDll32/runas case. It’s possible there’s something I am missing but extrapolating from what I know about Vista and what Rafael has proven about Windows 7 I can’t see any flaws in my plan. It doesn’t seem worth proving when the RunDll32/runas case has already shown the system is deeply flawed as it is but I doubt it’d take more than a few hours of coding to implement, unless I am wrong.

@Rafael: You mean the restrictions on which objects can be created elevated, or something else I’ve missed? I think a lot could be done with the existing objects registered for elevation, plus the ones which third parties install to do whatever they need to. Now, unless I’ve missed something, any COM object intended for elevated use can be used, with elevation, by any program without any prompts. If that’s true we might as well disable UAC for any process timestamped post-2009. :-)

BTW, this story was picked up by Mary Jo Foley at ZDNet: http://blogs.zdnet.com/microsoft/?p=1898

She got a laughable reply from Microsoft which included this nonsense:

“The only way this could be changed without the user’s knowledge is by malicious code already running on the box.”

Here’s why I think that is nonsense. (I posted this in the comments over there as well.)

–>8–
Given that installers run with full admin rights, UAC has never been about preventing malicious code already on the box from doing things.

UAC is about reducing the risk from the scenario where non-malicious code on the box is exploited, usually through a buffer-overflow bug, into doing what someone outside the box wants it to.

UAC makes it easy to avoid running everything with full admin rights. That in turn means that when a non-malicious program is compromised it can do less damage.

But now, by default in Windows 7 unless Microsoft admit this is a problem and change things at the last minute, it is trivially easy for a compromised non-admin process to elevate arbitrary code to full admin rights.

The only thing UAC will prevent, by default on Win 7, is attacks that don’t bother to target Win 7. Any attack written with Win 7 in mind can use one of several trivial methods to bypass UAC unless the user has taken the time to change it to always prompt.
–>8–

You can’t have it both ways. You either turn the slider up or down. It should be a personal choice (as they have made it).

How the heck that you get something like that is a vulnerability in this case is beyond me. If you don’t leave UAC up all the way it’s your choice. It’s important (like having sex with someone) that you are informed about your security practices.

The slider in Windows 7 gives you that option. If you hate the protection Vista gave you, and it slows you down too much turn it down.

If you are concerned leave it turned up all the way..

@Leo Davidson: Only COM interfaces in HKLM are loaded when elevated in explorer AFAIK, so the only thing I can think of is to overwrite a dll that is already registered in HKLM with your own for full code control (You would need to find a dll that’s not already loaded/locked, IIRC property sheet exstension dll’s are unloaded right after you close the prop sheet)

So, with auto elevated explorer, you would replace a dll that implements a property sheet handler (on my XP machine, docprop.dll is not normally loaded, only with open property sheet, I’m sure there are others) and you have replaced a system dll, then run explorer.exe /seperated c:\ and open a property sheet

The same thing can be done with MMC and anything that can be elevated and loads a dll (I’m assuming these dlls are not checked for missing MS cert)

Not sure what I am doing wrong but I can’t get this to work in standard user mode, only works in admin user mode. (x64 version).

Leo: Explorer does not run elevated and in fact is not designed to run elevated at all. AFAIK it elevated sub processes to perform specific tasks only when necessary, like moving files you need Administrator access to move. If explorer is elevated its run dialog contains the shield icon to warn you that anything launched from explorer will also be elevated (easy to do accidentally if you restart it from task manager).

However Open/Save dialogs in elevated processes may be another matter (and would apply to Vista too) but someone would need to test this, I have no idea if those dialogs are elevated with the rest of the process.

steve: Auto-elevation cannot function in standard user mode. It only works as an administrator. In standard user mode an administrator’s credentials are required to run anything elevated… obviously with an administrator already logged in the prompt can be silently bypassed with auto-elevated, but otherwise it needs credentials and is forced to ask for them.

asf: “* … run explorer.exe /seperated c:\ from elevated cmd prompt or whatever ….” If you’re already elevated there’s no need to replace shell extensions to elevate yourself, is there?

Tihiy: IMO it’s time MS marked rundll32 as a legacy component and stopped using it in their apps. They could easily build stubs for just the individual calls, and then just those stubs would be auto-elevated for those specific functions. But AFAIK in Vista they removed the need for rundll32 calls from their core stuff so I’m not sure why rundll32 is being unsecured now.

Giulio: Cool, but that would break nearly all third-party apps right out of the box. It’s really not an option for most users.

This is all so stupid. Wasn’t this type of thing why CAS (code access security) was added to .Net? Don’t they even read their own docs? Morons!

It does not work 4 me. I am running win 7 built 7000

If explorer will allow anyone to take advantage of elevated privilages, then what is the solution, to what I see as the most ridiculous security flaw ever? I was under the impression that Windows 7 was supposed to be supiriour to Vista in every sense. I have been running build 7000 for about a week and I’m very happy with it so far but if I have to get annoying confirm boxes every 30 seconds just to have a secure OS then I’ll probably start looking elsewhere for a new OS.

http://blogs.zdnet.com/microsoft/?p=1914 there is an update where apparently they say they have fixed it. Mined you we may not see the fix untill final releace

Глубокоуважаемые, а нельзя оставлять комментарии по теме, а не разную глупость типа Автор молодец и т.д.

so why auto-elevating control panel applets? imho this is unnecessary.
I think I can stand pressing the “Ok” button in elevation window once or twice a week.