While the User Access Control for Windows 10 is designed with security in mind, a new UAC bypass technique discovered by security researcher Matt Nelson renders the security measure useless. The hack relies on modifying the Windows registry app paths and manipulating the Backup and Restore utility to load malicious code into the system.
How it works
The bypass strategy takes advantage of Microsoft’s auto-elevation status that is assigned to trusted binaries, which are created and digitally signed by the software giant. That means the trusted binaries don’t display a UAC window when launched despite the security level. Nelson further explained in his blog:
While searching for more of these auto-elevating binaries by using the SysInternals tool “sigcheck“, I came across “sdclt.exe” and verified that it auto-elevates due to its manifest.
When observing the execution flow of sdclt.exe, it becomes apparent that this binary starts control.exe in order to open up a Control Panel item in high-integrity context.
The sdclt.exe binary is the built-in Backup and Restore utility that Microsoft introduced with Windows 7. Nelson explained that the sdclt.exe file uses the Control Panel binary to load the Backup and Restore settings page when a user opens the utility.
However, sdclt.exe sends a query to the local Windows Registry to obtain the control.exe’s app path before it loads control.exe. The researcher acknowledges the fact that this poses a problem as users with low privilege level can still modify registry keys. More to the point, attackers can alter this registry key and point it to malware. Windows would then trust the app and withdraw UAC prompts since sdclt.exe is auto-elevated.
It is worth pointing out that the bypass technique applies only to Windows 10. Nelson even tested the hack on Windows 10 build 15031. To address the security flaw, the researcher recommends that users set the UAC level to “Always Notify” or remove the current user from the Local Administrators group.