Saturday, January 3, 2015

Hands on hacking - Windows 8.1 Elevation of Privilege vulnerability

Windows-Elevation of Privilege vulnerability in ahcache.sys/NtApphelpCacheControl, reported by the Google project Zero team is now all over in news. So, i thought to try it on my Windows 8.1 and let's see if the provided exploit works or not, and how to verify it ;)

Below are the steps taken directly from the report, and we will be going to execute it one by one and see how it works

1) Put the AppCompatCache.exe and Testdll.dll on disk
2) Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables). 
3) Execute AppCompatCache from the command prompt with the command line "AppCompatCache.exe c:\windows\system32\ComputerDefaults.exe testdll.dll". 
4) If successful then the calculator should appear running as an administrator. If it doesn't work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run. 

Let's Start the test

  1. Download the exploit files from this link
  2. As per the step #2 from report, make sure your currently logged in user is
    • split-user token and UAC setting is set to default [  (i)-You should be an administrator, (ii)- Right click on calc.exe and select run as Administrator - an UAC pop up should be displayed ]
  3. Now navigate to downloaded folder poc\bin on command line and execute the below command:
    • AppCompatCache.exe c:\windows\system32\ComputerDefaults.exe testdll.dll
  4. Now you should see calc.exe (calculator) running in elevated administrator mode and that's also without any asking for any UAC pop up confirmation from logged in user :\
    Bypassing UAC using the exploit code (elevation of privilage)

You may wonder how to check if this is actually worked and calc.exe application is started in elevated mode, so here is how you can check :)
  • Open the Task Manager > Navigate to Details tab > Right click on columns > click on 'Select Columns'  > tick the 'Elevated' column and click on OK
    Adding elevated column in Task Manager process details tab 
  • once the 'elevated' column is added, you can see our calc.exe application is started as Administrator.
    checking a process Elevated status
Thank you :)

PS : If you like to go in the bug report detail you can check it here

No comments:

AWS Certified Solutions Architect Associate - AWS Introduction - Questions

All the Best !!! Show Result !! Try Again !! ×