Hi @ll, part 31 (see <http://seclists.org/fulldisclosure/2015/Mar/92>) showed how to execute arbitrary (rogue) executables planted as %SystemRoot%\System32\RegEdit.exe, %SystemRoot%\System32\Explorer.exe etc. instead of %SystemRoot%\RegEdit.exe, %SystemRoot%\Explorer.exe etc., including a possible UAC bypass. This works since Microsoft (mis)places these executables (for historical "reasons") in %windir%\ alias %SystemRoot%\ (the path returned from the GetWindowsDirectory() function), although the hard-coded search order uses %SystemRoot%\System32\ (the path returned from the GetSystemDirectory() function) before %windir%\ alias %SystemRoot%\ JFTR: in x64 versions of Windows these historical "reasons" are but abandoned completely for 32-bit executables: the 32-bit counterparts of all 64-bit executables located in %SystemRoot%\ have been moved to %SystemRoot%\SysWoW64\. This is backwards compatible since %SystemRoot%\System32\ is redirected to %SystemRoot%\SysWoW64\ for 32-bit executables and due to the hard-coded search order, plus <https://msdn.microsoft.com/en-us/library/aa384187.aspx>: | Access to %windir%\regedit.exe is redirected to | %windir%\SysWOW64\regedit.exe. (Un)fortunately there is no redirection from %SystemRoot%\RegEdit.exe to %SystemRoot%\System32\RegEdit.exe for 64-bit executables and in x86 versions of Windows. RegEdit.exe load various DLLs; since the hard-coded search order (see <https://msdn.microsoft.com/en-us/library/ms682586.aspx>) uses the application directory first it is possible to have it load arbitrary (rogue) DLLs planted into %SystemRoot%\ instead of the system DLLs installed in %SystemRoot%\System32\ (except for the "known DLLs", see <https://support.microsoft.com/en-us/kb/164501>). Of course any other executable (mis)placed in %SystemRoot%\ might be (ab)used too! Proof of concept (for Windows 2000 to Windows 10; use your own "sentinel" ~~~~~~~~~~~~~~~~ instead of mine for Windows NT4): 1. get <http://home.arcor.de/skanthak/download/SENTINEL.DLL> (this is a 32-bit executable [*]; the 64-bit executable is available on request); 2. copy SENTINEL.DLL as %SystemRoot%\ACLUI.DLL (use the method shown in <http://seclists.org/fulldisclosure/2015/Mar/92> to bypass UAC); 3. execute %SystemRoot%\RegEdit.exe Mitigation(s): ~~~~~~~~~~~~~~ 1. For %! In (%SystemRoot%\*.exe %SystemRoot%\*.dll) Do If Not Exist %SystemRoot%\System32\%~nx! MkLink /H %SystemRoot%\System32\%~nx! %! This but only helps if RegEdit.exe is not called with its fully qualified pathname %SystemRoot%\RegEdit.exe 2. Define ACLUI.DLL as "known DLL": [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs] "aclui"="ACLUI.DLL" stay tuned Stefan Kanthak [*] see <http://home.arcor.de/skanthak/sentinel.html>
