5 March 2015
Daniel Dieterle’s post ‘Pulling Remote Word Documents from RAM using Kali Linux | CYBER ARMS – Computer Security‘ is amazing and at the same time frightening. Once an attacker has hijacked a system he could dump all processes running in the signed-in user’s context.
It only remains to hope that the user work without privileges. In this case the impact of the attack on the operating system will be limited, at least theoretically.
Unfortunately we are dealing here with Windows 7. The Windows 7 User Account Control (UAC) standard settings allow an attacker to bypass UAC to elevate the current user. With admin privileges the attacker can create a memory dump of all processes, in particular of lsass.exe, which holds in Windows 7 for example the users Kerberos password in plain text.
bypassuac-x86.exe is used within the meterpreter security suite to elevate the user, MimiKatz to extract the passwords from lsass.exe dump.
This UAC vulnerability in Windows 7 is well-known since a long time, and very easy to mitigate. Just set UAC to the highest level ‘Always notify me’. In this case, bypassuac could not elevate the user. Take a look into the code for more details.
Don’t ask why Microsoft hasn’t mitigated this vulnerability and why system admins do not change the default value with a group policy. Life could be so easy …
That’s it for today. Please check the UAC settings on your Windows devices as soon as possible.