Minor inaccuracy - UAC Security Boundary

[a4004]

Hey @xaitax

Love your work, really awesome repo showcasing serious flaws in this new Recal "feature". When will MSFT ever learn? 😂

Just want to point something out to you though, you mentioned UAC is not a security boundary which is factually incorrect. The article you quoted from @Microsoft does mention that "Same-desktop Elevation is not a security boundary", however that refers to an insecure configuration of UAC whereby the allow/deny prompt is presented on the user's desktop rather than the secure desktop (where the screen dims). This configuration is not the default on Windows and must be manually configured for UAC to no longer function as a reliable security boundary.

More important, Same-desktop Elevation in UAC isn't a security boundary. It can be hijacked by unprivileged software that runs on the same desktop. Same-desktop Elevation should be considered a convenience feature. (https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/disable-user-account-control)

I'm not necessarily saying that UAC is perfect, as there are ways to bypass it with varying degrees of success but I think it's important to get the context right when dealing with security issues that have great potential impact.

[namazso]

UAC as an admin user is also not considered a security boundary (regardless of Same-desktop) since there are millions of ways the current user can poison the environment that can hijack a high IL process.

See: https://learn.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)?redirectedfrom=MSDN

If an Administrator is using the system and attempts to do the same task, there is only a warning prompt. That prompt is known as a “Consent Prompt” because the administrator is only asked to agree to the action before proceeding. A weakness that would allow to bypass the “Consent Prompt” is not considered a security vulnerability, since that is not considered a security boundary.

[a4004]

That sure is interesting that two different Microsoft docs contradict each other. I'd think if they are using the secure desktop by default - then, regardless whether it's vulnerable or not, it would be at least considered a security boundary of some kind. But no, I guess then it seems MSFT knowingly ship a UAC system that isn't even achieving its intended purpose by default. That is kind of funny, and scary at the same time.

[namazso]

It does achieve its intended purpose - which was bullying more programs into working without admin, so that enterprise administrators can actually take away admin from their users without crippling the workflow.