Researcher Bypasses Windows UAC by Spoofing Trusted Directory

A security researcher from Tenable, Inc. recently discovered that it is possible to bypass Windows’ User Account Control (UAC) by spoofing the execution path of a file in a trusted directory. Although Microsoft doesn’t consider UAC a security boundary, the feature still brings additional security benefits. UAC alerts users in the Administrators group when a program attempts to run with elevated privileges, so that the user can confirm the action. However, the UAC prompt does not appear for all administrative executables on Windows, as some programs can auto-elevate, thus bypassing UAC. However, Windows has a series of additional security checks in place to ensure that only a select group of trusted executables can auto-elevate. Even so, the approach can be abused to bypass UAC, and Tenable’s David Wells recently discovered a new technique that leverages this functionality to ensure that no UAC prompt is displayed when a rogue executable runs.