Tag Archives: Privilege escalation

How to defeat antivirus evasion and privilege escalation techniques

4 February 2018

Last weekend I read two very informative posts on Antivirus Evasion by Mattia Campagnano. But part 2 [1] puzzled me somewhat.

“Following up to my previous post Tips for an Information Security Analyst/Pentester career – Ep. 43: AV Evasion (pt. 1), we’re going now to perform the same attack on a genuine Windows 10 machine, where all latest updates have been installed.”

For a moment I thought ‘a security professional mistakes compliance for security’ because ‘fully patched’ means not that the system is resilient against cyber-attacks. But both posts show that even the most secure Windows ever is vulnerable against privilege escalation and AV evasion if the basic configuration is not changed and fundamental elements of cyber hygiene are missing.

Why are such attacks successful?

First, the user was logged in with permanent administrative privileges. This makes life easy for attackers and fosters lateral movement.

Revoking permanent administrative privileges on workstations and servers must be a basic element of any cyber security program. Under normal conditions, standard users should not have any administrative privileges for their devices at all. If needed, they can be temporarily granted through User Account Control (UAC).

Second, UAC was not set to the highest level “Always notify me”. Unfortunately this is the standard setting after a fresh installation of Windows. With this, privilege escalation is possible without user notification. If configured properly, UAC will notify the user even if he works with administrative privileges.

The BypassUAC method in the meterpreter attack framework will fail, if UAC is set to the highest level. The following excerpt of the code [2] makes this clear

case get_uac_level
 when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
 fail_with(Failure::NotVulnerable,
  "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..."
 )
 when UAC_DEFAULT
    print_good('UAC is set to Default')
    print_good('BypassUAC can bypass this setting, continuing...')
 when UAC_NO_PROMPT
    print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
    shell_execute_exe
  return
end

Standards like the DISA STIG for Windows 10 [3] activate all UAC features to make life for the attackers as difficult as possible. From my point of view, the STIGs should be considered also in industry to create workplaces resilient against cyber-attacks. And Microsoft should raise the Windows default for UAC to “Always notify me” for all versions. If a user wants to reduce the security level, he should do this on his own responsibility.

Besides the secure configuration of IT systems and cyber hygiene is user awareness training the third essential pillar of a security program. Users and help desk staff must take proper actions if their system unexpectedly enters the secure desktop and asks for permissions of an action they never asked.

Have a good weekend.


  1. Campagnano, M. Tips for an Information Security Analyst/Pentester career – Ep. 44: AV Evasion (pt 2). The S@vvy_Geek Tips Tech Blog
  2. Rapid7 bypassuac_vbs.rb  Metasploit Framework. (Accessed: 3rd February 2018)
  3. Windows 10 Security Technical Implementation Guide. STIG Viewer | Unified Compliance Framework® Available at: https://www.stigviewer.com/stig/windows_10/. (Accessed: 3rd February 2018)
  4. Campagnano, M. Tips for an Information Security Analyst/Pentester career – Ep. 43: AV Evasion (pt.1). The S@vvy_Geek Tips Tech Blog
Advertisements

Dvmap: the first Android malware with code injection capabilities

25 June 2017

In the train back from Berlin last week I had the opportunity to go through my reading list. The news about Dvmap, an Android malware which code injection capabilities, caught my attention.

Kaspersky’s Roman Unuchek published a great post in the Kaspersky Lab Securelist blog on 8 June 2017 about Dvmap. Dvmap is hidden in the app colourblock which was downloaded more than 50.000 times from the Google Play Store. Google removed the app from the Play Store by now.

Dvmap injects malicious code into the Android system libraries at runtime and deactivates security features of the OS. It is capable to downloading extensions from a C&C Server. In addition, the attackers used some clever method to bypass the security features of the Play Store.

To inject code in system libraries at runtime on Linux-based operating systems root privileges are required. And this is what Dvmap tries at first. Since the standard user does not work as root, the trojan must use existing, unpatched vulnerabilities to gain root rights.

Support Codename Android Version Linux Kernel Distribution
No Gingerbread 2.3.x 2.6.35 0,80%
No Ice Cream Sandwich 4.0.x 3.0.1 0,80%
No Jelly Bean 4.1.x 3.0.31 3,10%
No Jelly Bean 4.2.x 3.4.0 4,40%
No Jelly Bean 4.3 3.4.39 1,30%
Yes KitKat 4.4 3.10 18,10%
Yes Lollipop 5.0 3.16.1 8,20%
Yes Lollipop 5.1 3.16.1 22,60%
Yes Marshmallow 6.0 3.10 31,20%
Yes Nougat 7.0 4.4.1 8,90%
Yes Nougat 7.1 4.4.1 0,60%

(Data collected during a 7-day period ending on June 5, 2017. Any versions with less than 0.1% distribution are not shown. Source: Android Dashboards at Android Developers.com)

The above table shows that 89.6 percent of the Android devices which downloaded software from the Google Play Store run Android versions which are supported by Google. Sounds good.

Unfortunately, Google delivers patches to their partners for further distribution to the consumers. And this is where the trouble begins.

In post ‘Diverse protections for a diverse ecosystem: Android Security 2016 Year in Review’ published on 22 March 2017 in the Google Security Blog one reads:

We provided monthly security updates for all supported Pixel and Nexus devices throughout 2016, and we’re thrilled to see our partners invest significantly in regular updates as well. There’s still a lot of room for improvement, however. About half of devices in use at the end of 2016 had not received a platform security update in the previous year.

With this, about 55% of the devices which downloaded software from the Google Play Store in June 2017 were vulnerable e.g. against Dirty Cow (CVE-2016-5195), a nine-year-old bug in the Linux kernel that was detected in October 2016. Since all Linux kernel from 2.x through 4.x before 4.8.3 were affected, nearly all Android version are affected as well.

From the Android Security Review 2016 we learn that “More than 735 million devices from 200+ manufacturers received a platform security update in 2016”. With this, about 360 million devices are vulnerable to Dirty Cow and Dvmap today.

Google’s partners “invested significantly in regular security updates in the past years”, but sadly not enough. Enterprise customers with an MDM solution like Airwatch in place can take this risk. The consumers foot the bill. Who cares?

Have a great week!