search

hfiref0x / UACME

Defeating Windows User Account Control
BSD 2-Clause "Simplified" License
6.08k stars 1.3k forks source link

[Explanation] Methods status update for Windows 11 #114

Closed hfiref0x closed 2 years ago

hfiref0x commented 2 years ago

All the previously marked as unfixed methods tested against Windows 11, here are results:

22 - passed 23 - failed, ~investigation required~, will be fixed in 3.5.7 30 - passed 32 - passed, signatured 33 - passed 34 - passed, signatured 36 - failed, ~relies on originally unstable RC code from polarbear, will be marked as fixed in 3.5.7~, reimplemented, stay in 3.5.7 37 - passed 38 - passed 39 - passed 41 - passed 43 - passed 52 - passed 53 - passed, signatured 55 - passed 56 - failed, reason is likely Windows Store changes, will be marked as fixed in 3.5.7 58 - passed 59 - passed 61 - passed 62 - passed 63 - failed, ~investigation required~, https://github.com/hfiref0x/UACME/issues/114#issuecomment-964032720 64 - passed 65 - failed, ~investigation required~, https://github.com/hfiref0x/UACME/issues/114#issuecomment-964032720 66 - passed, signatured 67 - passed 68 - passed 69 - failed, ~investigation required~, https://github.com/hfiref0x/UACME/issues/114#issuecomment-964032720 70 - passed

AzAgarampur commented 2 years ago

What is method 70?

hfiref0x commented 2 years ago

This will be added as part of 3.5.7 https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses

hfiref0x commented 2 years ago

Update on method 23. It works if fallback to dismcore.dll usage. Also MS signatured it again.

hfiref0x commented 2 years ago

Status update for 36, 63, 65, 69

36 is reimplemented to be similar to 23. Wusa race condition is still works and privileged file copy is unfixed. However now 36 and 37 has only difference in the target applications, 36 uses PkgMgr/Dism while 37 abuses SXS for DCCW.

63 terminates due to timeout on heavy load VM, if MSCHEDEXE task execution already cached by system than it works OK. It is fine for me as is.

65 produces OpenWith dialog (that's new behaviour). If something selected here and method restarted after then it works OK.

69 produces Compatibility Assistant dialog. If method then restarted it works OK. As far as I remember similar issue has been mentioned here, https://github.com/hfiref0x/UACME/issues/111#issuecomment-888142293 Not sure what changed since so previous workaround seems doesn't work with Win11.