[Security Vulurability] direct invocation of regedit via Process.Start()

Question

0.00/5 (No votes)

See more:

I've stumbled accross a possible way to bypass UAC which seems kind of troublesome.

Normally inserting values into certain portions of the registry programmaticly requires UAC Elevation to a user with administrative priveledges on the target machine. Right?

That being said, should I be able to do this? The following code works under NET 4.5 on Windows 8 AS-IS.

C#

public void DisableTaskManager()
        {
            try
            {
                if (File.Exists("DisableTaskManager.reg"))
                {
                    File.Delete("DisableTaskManager.reg");
                }
                using (FileStream registryFileStream = File.Create("DisableTaskManager.reg"))
                {
                    Byte[] registryFileContents = new UTF8Encoding(true).GetBytes(Properties.Resources.DisableTaskManager);
                    registryFileStream.Write(registryFileContents, 0, registryFileContents.Length);
                    registryFileStream.Close();
                }
            }
            catch (Exception Ex)
            {
                MessageBox.Show(Ex.ToString());
            }
            try
            {
                ProcessStartInfo startInfo = new ProcessStartInfo();
                startInfo.FileName = "regedit";
                startInfo.Arguments = "/s DisableTaskManager.reg";
                Process.Start(startInfo);
            }
            catch (Exception Ex)
            {
                MessageBox.Show(Ex.ToString());
            }
        }

Is this something I'm missing, or is this another gross example of Microsoft security negligence?

Posted 6-Jun-13 5:28am

ZeroPointSoftware

Add a Solution

Comments

lewax00 6-Jun-13 11:44am

Depends, what is in DisableTaskManager.reg? Some areas of the registry do not require elevation, others do. Or since you aren't checking the output of of your process, it might just be failing completely and you ignore the error message.

ZeroPointSoftware 6-Jun-13 12:05pm

it puts a key in current user polices that simply sets a flag t disable the task manager.

running this via the registry api requires priveledge elevation. I can provide source code I used to do this on request. The point is that registry changes that haev those kinds of effects should have some kind of safety instead of being able to aribtrartily add whatever keys we want into the registry in sensitive areas. ( ie. group policies, etc )

ZeroPointSoftware 6-Jun-13 12:10pm

I should not be able to simply inject code into the registry via a arbitrary .reg file which DOES bypass the safeguards of UAC to achieve the same effect ( where using the registry api to inject the same values as contained in the .reg file previously discussed DOES trigger a UAC prompt ) catch my drift?

Sergey Alexandrovich Kryukov 6-Jun-13 12:24pm

I did not try your code and don't want to, but can you put it straight. Suppose UAC is not disabled and your code is run not under elevated privileges. Are you saying that it will successfully executed and the task manager will be disabled? Is this what you mean by your "AS IS"? I doubt it. If it's the case, how do you know, did you try it?
—SA

lewax00 6-Jun-13 12:16pm

Current user doesn't require elevation.

EDIT: Try it again in HKLM, it won't work. HKCU is intended to be used by any and all programs without admin permissions.

ZeroPointSoftware 6-Jun-13 12:18pm

for writing to policies//system it does ;-)

atleast any time I've tried it has. Might be a window 8 specific change in fuctionality. But either way, bypassable as demonstrated.

ZeroPointSoftware 6-Jun-13 12:20pm

public void DisableTaskManager()
{
RegistryKey regkey;
string keyValueInt = "1";
string subKey = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System";
try
{
regkey = Registry.CurrentUser.CreateSubKey(subKey);
regkey.SetValue("DisableTaskMgr", keyValueInt);
regkey.Close();
}
catch (Exception ex)
{
MessageBox.Show(ex.ToString());
}
}

This will throw an exception on Windows 8 without an app manifest

lewax00 6-Jun-13 12:38pm

Then it's a problem with the API. I can write to HKCU without elevation on Windows 7 just fine; this is how it's supposed to work. If the API requires elevation for HCKU that's a problem with the API, not UAC.

Sergey Alexandrovich Kryukov 6-Jun-13 12:27pm

OK, now you say that this code required elevation (are you?). If it does, how the bypass is demonstrated?
Maybe we have some miscommunication...
—SA

ZeroPointSoftware 6-Jun-13 12:34pm

I'm not elevated when I run a test app with the above registry api code. it fails everytime. If I add an app.manifest and then re-run the above registry api based code, i get a UAC prompt and the code runs as expected.

NOW....if I invoke regedit from Process.Start() and pass the same values into the registry via code as indicated in the initial article, i can push the same values with NO PROMPT from UAC what so ever.

the analogy is that I'm essentially sneaking registry values in the "back door" with UAC standing around oblivious at the "front door".

Thats what I'm talking about when I say bypass.

Sergey Alexandrovich Kryukov 6-Jun-13 12:41pm

Now you really explained to me what happened, thank you for clarification. That really sounds like a backdoor...
—SA

ZeroPointSoftware 6-Jun-13 12:46pm

Worth a write up to Microsoft?

Sergey Alexandrovich Kryukov 6-Jun-13 13:12pm

I'm still not 100% sure, waiting your confirmation on further detail. Please see [EDIT #2] in my answer and my comment below it.
If the crime really takes place, it worth writing. Even better, keeping to ignore Windows 8. Wrong move anyway.
—SA

ZeroPointSoftware 6-Jun-13 13:29pm

was dumb luck that I even found this. most sane programmers would stick to the api when doing things to the registry. as I said in an earlier comment, it was more screwing around outside the realm of good practices.

The applications of being arbitrarily push values to the registry in this way is quite frankly scary...

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Accepted Answer · 2013-06-06T05:57:00

I don't think so. Starting from Vista, and reasonably set up, I think, only in Windows 7, UAC is not to be bypassed. I mean, you can bypass UAC only if the user gives an explicit permission. In particular, the whole UAC check can be disabled for a whole system, and then the system really becomes vulnerable, but if you try to do it automatically, your program cannot bypass the explicit UAC check with the user. It will either throw a permission exception, or, if you write the application "As administrator", the permission will be granted.

(You probably know that being logged on Windows with Administrator privilege is not enough, you have to run each application with elevated privileges. Please see:
http://4sysops.com/archives/vista%E2%80%99s-uac-8-ways-how-to-elevate-an-application-to-run-it-with-administrator-rights/[^],
http://www.sevenforums.com/tutorials/11841-run-administrator.html[^].)

The only thing application can initially do, is to request for elevated privileges from the very beginning, thus saving a user from a troublesome ceremony of choosing this "Run as Administrator" option described above. To do this to your application, you can create and embed appropriate application manifest with required UAC version. This is simple enough and is described here:
http://msdn.microsoft.com/en-us/library/bb756929.aspx[^].

If your application can do something like registry access every time you use it, or on a regular basis, this is a very reasonable thing to do so. And of course, if you want to use Process.Start (which I don't recommend, it's better to use Registry API or anything you can do to avoid starting a child process), your child process will also inherit already elevated privileges. However, it won't bypass any UAC check. It means the request for UAC dialog will be guaranteed to be presented to the user before any APIs requiring elevated access are called. If the user agrees, the application proceeds with elevated privileged, if not, the whole process will be safely terminated. Of course, this is much better than having a security exceptions when your application is already running.

I did not mention such thing as "XP compatibility mode", just don't want to discuss it here. Of course it would make the system vulnerable. I hope this trash will go out of practice with time and will eventually be phased out. For application development, it's too sloppy to keep to the obsolete "don't care about security" practice. At the same time, keeping the application away from security-sensitive actions or otherwise request for proper permissions is way too easy, so ignoring correct safety practices should not be a discussable option.

[EDIT #1]

I just tried to reproduce it on Windows 7. The behavior was correct: it does request my confirmation with UAC dialog. Something is wrong with your OS. Are you sure you did not lower down system security settings?

If you think the wrong part is having Windows 8, I don't know. I'm not going to try out Windows 8, because I don't consider it as a serious OS, by some other, unrelated reasons. If you firmly maintain that it happens to Windows 8 installed by default, without disabling the UAC in system-wide settings, it will be yet another argument against ever using it.

After all, I tried out Vista, but even in nightmare I could not imagine using it in real work. :-)

[EDIT #2]

More detail on the test described above:

Windows 7 has the following options under the applet "Choose to be notified about changes to your computer". It has 4 options:

"Always notify me when…"
Default — Notify me only when programs try to make changes to my computer
Don't notify me when I make changes to Windows settings.
[Same as above adding "don't dim my desktop"]
Never notify me when…

I tried it with #1 and #2 (default). In both cases, UAC dialog requested me. Normally, I personally use option #1 "Always notify…".

Are you sure you are using the same or equivalent level of UAC notification with Windows 8?

—SA