Another sdclt UAC bypass

Another sdclt UAC bypass

1. Origin of the bypass

As often with UAC, the flaw comes from an auto-elevated process. These processes have the particularity to run with high integrity level without prompting the local admin with the usual UAC window. If the user running with medium privileges can make these process load a dll or execute a command, UAC bypass is performed.

In our case, the executable is sdclt.exe. Sdclt is used in the context of Windows backup and restore mechanisms. You can check it auto-elevates using Sysinternals Sigcheck:

Bypassing UAC on Windows 10 using Disk Cleanup

Bypassing UAC on Windows 10 using Disk Cleanup

Matt Graeber (@mattifestation) and I recently dug into Windows 10, and discovered a rather interesting method of bypassing User Account Control (if you aren’t familiar with UAC you can read more about it here). Currently, there are a couple of public UAC bypass techniques, most of which require a privileged file copy using the IFileOperation COM object or WUSA extraction to take advantage of a DLL hijack. You can dig into some of the public bypasses here (by @hfiref0x). The technique covered in this post differs from the other methods and provides a useful alternative as it does not rely on a privileged file copy or any code injection.

Linux Privilege Escalation

Linux Privilege Escalation

Tools

About

Welcome to 0x1.gitlab.io my personal blog to share my knowledge
Cyber Security, Ethical Hacking, Web & Network Auditing, Reverse Engineering and Cryptography
Website semi-configured to use with No-Script. No ADS and No use analytics tracking.


Contact

Forum : @0x1


© 0x1 | Cyber Security Consulting - Copyright All Rights Reserved