Default User wrote:
> Another serious crack in the armor of UAC has emerged and is likely to be
> heavily exploited in the near future.
>
> Windows Vista: Non-privileged code can redirect shortcuts to intercept
> privilege elevation requests
> http://www.securityfocus.com/archive.../30/0/threaded
>
> "Tested on x86 and x64 editions of Windows Vista Ultimate, though this
> exploit should function correctly on all x86 and x64 editions of Windows
> Vista.
>
> This exploit requires an attack vector such as a Trojan horse. However, in
> light of the enormous success of such types of attacks in the past, and the
> fact that User Account Control (UAC) would be expected to protect the user
> from doing something particularly dangerous to the machine, this should be
> considered exploitable.
>
> Non-privileged code can be used to replace shortcuts on the Start Menu and
> intercept elevation of privileges. Because of the way the Start Menu is
> constructed, users can enumerate all of the shortcuts that appear on their
> menus because they have read access to the folders where the shortcuts
> reside. The Start Menu is composited of a common folder and the specific
> user's folder, preferring the user folder if duplicates exist.
>
> Using COM and the .NET Framework, a stub EXE generator can be created that
> will check for the presence of privilege elevation before launching the
> original target process (in order to not alert the user to the fact that
> the target is infected). The .NET CLR is installed by default on Windows
> Vista and so can be used as part of the attack vector.
>
> The proof-of-concept enumerates the shortcuts on the user's menu and the
> common menu and creates or modified user-local shortcuts to exploitable
> executables via proxy EXEs. It generates the proxy executables and then
> writes a text file to the Windows\System32 folder once a proxy executable
> has been run with elevation. The proof-of-concept code is available at
> http://www.robpaveza.net/VistaUACExploit/PoC.zip and requires Visual Studio
> 2005 to compile.
>
> A whitepaper detailing the architecture of UAC and this exploit is also
> available at
> http://www.robpaveza.net/VistaUACExp...Whitepaper.pdf. The
> whitepaper details the implementation of the Proof of Concept as well, and
> goes into significantly more detail than this (I'm sorry that this is
> short, but I've been working on writing this up for quite a while and just
> want it to be over)."
>
>
> What was Microsoft's response to using third-party security products... oh,
> yeah, "they're nothing but feel-good fluff on Vista"... guess again.

Mac OS X is looking better every day. Now to screw up enough courage
(aka self-interest) to leave the Dark Side.