Jump to content
Nytro

Privilege escalation (UAC bypass) in ChangePK

Recommended Posts

Privilege escalation (UAC bypass) in ChangePK

Matt harr0ey
Matt harr0ey
Follow
May 4 · 3 min read
 
 
 
 
1*DBj1OKqagPofuwJxFsC9Xg.png?q=20
1*DBj1OKqagPofuwJxFsC9Xg.png

Introduction
It’s been a long time since I decided to to be away from Twitter for a while for self-improvements reasons and finding valuable bugs. While I was away from Twitter I spent hard work on the basics of privilege escalation to be aware of it, after that I went through privilege escalation bugs and successfully found interesting one works on the most versions of windows XP/7/8/10/etc. in this article, I’ll write simple and very understandable words

What is privilege escalation?
Although I’m not pro at this but I’ll help as much as I can: Privilege escalation is a technique that helps attacker to gain high level of privilege from low privilege by some techniques like DLL hijacking, User account control bypass, etc. by the way, there are many techniques aren’t mentioned here, but you can find them in this website:
https://attack.mitre.org/tactics/TA0004/

How does Slui UAC bypass work?
There is a tool named ChangePK in System32 has a service that opens a window (for you) called Windows Activation in SystemSettings, this service makes it easy for you and other users to change an old windows activation key to a new one, the tool (ChangePK) doesn’t open itself with high privilege but there is another tool opens ChangePK with high privilege named sliu.exe. Let’s take a look at more details

How does Slui.exe work?
Slui doesn’t support a feature that runs it as administrator automatically, but we can do that manually by either clicking on slui with a right click and then click on “Run as administrator” or using this command: powershell.exe start-process slui.exe -verb runas

How did I find the vulnerability?

The tool I used to find the registry key to get a UAC bypass from slui.exe is Procmon. I put some filters in Procmon to find missing registry paths for Slui and I succeed in finding the right missing registry path, let’s take a look at it!

1*gLagWrN7s0YG91s-SKDSJw.png?q=20
1*gLagWrN7s0YG91s-SKDSJw.png
1*Ci7g25PMdUm3eSQrWNlZmg.png?q=20
1*Ci7g25PMdUm3eSQrWNlZmg.png

After creating all the registry paths needed to get a Slui UAC bypass, I got the success word in Procmon, Look at this!

1*8aXN9eV79KO9hiuhkIBCmg.png?q=20
1*8aXN9eV79KO9hiuhkIBCmg.png

Now It’s time to test the bug!

1*UdzJElLVXxVSc9kWOUb1bA.png?q=20
1*UdzJElLVXxVSc9kWOUb1bA.png

Yay, It has worked like a charm. Have a fun!

Hey guys, before going out this article, I want to acknowledge bytecode77 who has found a registry keynpath that allows attackers to gain high privilege; Although his method of UAC bypass is different from mine, but It’s not a problem (^_^). Bytecode77’s method is his registry path lead slui to be executed by HKCU\Software\Classes\exefile\shell while my method is very different from that… It leads slui to be executed by HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command. That’s the first one different thing, the next one is that bytecode77’s registry key path

The proof of concept:
https://gist.github.com/homjxi0e/9174952b6535a13a2645978b8abfd541

 

Sursa: https://medium.com/@mattharr0ey/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...