Windows 7 UAC whitelist: Code-injection Issue (and more)

[Nytro]

Windows 7 UAC whitelist: Code-injection Issue (and more)

Quick Windows 7 RTM update:

Everything below still applies to the final retail release of Windows 7 (and all updates as of 14/Sep/2011).

Quick Windows 8 update:

Everything below still applies to the Windows 8 Developer Preview released on 13/Sep/2011. It is early days, of course, but from a quick look it does not seem that anything UAC-related has changed at all in Win8.

Contents:

• Win 7 UAC Code-Injection: Program & source-code
  
• Win 7 UAC Code-Injection: Video demonstrations
  
• Some Quotes
  
• Win 7 UAC Code-Injection: Summary
  
• Win 7 UAC Code-Injection: The good news
  
• Win 7 UAC Code-Injection: How it works
  
• UAC in Vista and Windows 7: Mistakes then and now (Better ways MS could've responded to complaints about Vista.)
  
• UAC Comparison: Two file-managers
  
• If a whitelist makes sense then it must be user-configurable
  
• Previous Windows 7 UAC issues
  
• To those saying, "but it requires code to get on the box"
  
• To those saying, "but UAC isn't a security boundary"
  
• To those saying, "but it's only a beta"
  
• Quick response to a couple of newer things
  

Program, Source Code and Step-by-Step Guide

While Windows 7 was still in beta Microsoft said this was a non-issue, and ignored my offers to give them full details for several months. so there can't be an issue with making everything public now.

• Win7ElevateV2.zip (32-bit and 64-bit binaries; use the version for your OS.)
  
• Win7ElevateV2_Source.zip (C++ source code, and detailed guide to how it works.)
  
• Source in HTML format (for browsing online)
  
• Step-by-step guide (description of what the code does)
  

This works against the RTM (retail) and RC1 versions of Windows 7.

It probably won't work with the old beta build 7000 due to changes in which apps can auto-elevate.

Microsoft could block the binaries via Windows Defender (update: they now do via MSE), or plug the CRYPTBASE.DLL hole, but unless they fix the underlying code-injection / COM-elevation problem the file copy stuff will still work. Fixing only the CRYPTBASE.DLL part, or blocking a particular EXE or DLL, just means someone has to find a slightly different way to take advantage of the file copy part. Finding the CRYPTBASE.DLL method took about 10 minutes so I'd be surprised if finding an alternative took long.

Even if the hole is fixed, UAC in Windows 7 will remain unfair on third-party code and inflexible for users who wish to use third-party admin tools.

Sursa: Windows 7 UAC whitelist: Code-injection Issue (and more)