Windows 10 Disk Cleanup Utility Abused to Bypass UAC

[Petrovic]

Security researchers Matt Nelson and Matt Graeber have discovered a unique method of bypassing the Windows User Access Control (UAC) security system on Windows 10 and allow malicious files to execute without alerting users that something strange had happened.

 

Their method doesn't involve a complicated mechanism that implies a privileged file copy or any code injection, but only taking advantage of an already existing Windows scheduled task that's set up to run with the highest privileges available.

 

That scheduled task is associated with the Disk Cleanup utility, a built-in Windows app for helping users clean and manage their hard drives. The scheduled task is described as: "Maintenance task used by the system to launch a silent auto disk cleanup when running low on free disk space."

 

UAC bypass uses basic DLL hijacking technique
The two researchers discovered that when Windows 10 would run this task, it would execute the Disk Cleanup app, which would copy a set of files in a folder at "C:Users<username>AppDataLocalTemp".

 

The files copied here were an executable called DismHost.exe and a very large number of DLL files. Disk Cleanup would then execute the EXE file, which it would load one DLL after the other.

 

The two researchers discovered that DismHost.exe would load the LogProvider.dll as the last DLL file in this queue, giving them time to launch an attack.

Nelson and Graeber created a malicious script (aka malware) that would watch the local file system for the creation of new folders inside the Temp directory, and when detecting one of the files above, it would quickly move to replace LogProvider.dll with their own version of the DLL, containing malicious operations.

 

UAC would ignore the scheduled task
This attack technique is called DLL hijacking and is a common method of executing malware attacks.

 

Because this scheduled task ran from a regular user account, but with the "highest privileges available," UAC remained silent.

 

An attacker clever enough to use this technique would have had a way to infect a regular user account and then execute code with admin privileges with a very trivial DLL hijacking technique.

 

A fix ain't coming
The good news is that the researchers have told Microsoft about the issue. The bad news is that a fix ain't coming in the immediate future.

"This was disclosed to Microsoft Security Response Center (MSRC) on 07/20/2016," Nelson writes. "As expected, they responded by noting that UAC isn’t a security boundary, so this doesn’t classify as a security vulnerability."

 

In the meantime, users are encouraged either to disable the task or to uncheck the "Run with the highest privileges" option as seen below.

 

To get to this window, press the Start button, and search for "Scheduled Tasks." Open the application and on the left side of the window open the following folders: Microsoft -> Windows -> DiskCleanup. Here use the menu on the right side to disable the task, or just untick the problematic box.

Article source

[Holmes]

You can fix this easily just go into scheduled tasks and delete SilentCleanup.  The scheduled task is on stock installations of windows ten.

[straycat19]

45 minutes ago, Holmes said:

You can fix this easily just go into scheduled tasks and delete SilentCleanup.  The scheduled task is on stock installations of windows ten.

 

That works but only until a Microsoft Update sees it is missing and puts it back which means you would have to constantly check your scheduled tasks to make sure it doesn't 'magically' reappear.  A more permanent solution, and one that works with all versions of windows, and also stops every piece of malware I have been able to test, is to use the GPO to block anything from running from the appdata folder or its subfolders.

[steven36]

How to Enable or Disable Automatic Maintenance in Windows 10

http://www.tenforums.com/tutorials/40119-automatic-maintenance-enable-disable-windows-10-a.html

[HX1]

Disabling this task would be a better option... Also this task does not run automatically until the system starts to run low on disk space. Running it normally is not the same as the automated task itself...

 

Mine is already disabled... I think I did this to optimize the tasks... regardless I run it myself ever so often..

[Holmes]

No update would put it back if you watch what windows updates you install.  I constantly look at my startup locations on my computer scheduled task to and delete any that I dont want running.  I do use disk cleanup and it looks like Im not going to be using it right now Ill have to standby for them to fix this.

[steven36]

I use cc cleaner  and perfect disk  both have automatic mode  if you want to enable  them ,  I don't like built in windows apps  .  Only time i ever ran  disk cleanup was to clean up  from and upgrade to get rid of windows old folder .  In order for them to bypass uac you have to be infected  if it were that bad they would patch it .

[Holmes]

I only use disk cleanup for if I want to do windows update cleanup ccleaner wont do that I dont think.  That softpedia article isnt as good I like this one better:

 

https://threatpost.com/windows-uac-bypass-leaves-systems-open-to-malicious-dlls/119468/

 

I never use softpedia I stopped using it I think I almost got infected by it one time.  Remember for those interested and those that use disk cleanup you can use this to get the most out of disk cleanup:

 

I havent used it yet Im going to.