Twitter | Pretraživanje | |
Tavis Ormandy
Interesting question, is this a UAC bypass? My first thought is no, because UIPI means you can't automate the interaction. Therefore, the only way to exploit it is if you could have just clicked OK in the UAC consent anyway.... right? (yes, I know UAC is not a supported boundary)
15:03 - 30. pro 2019.
Reply Retweet Označi sa "sviđa mi se" More
David Wells 30. pro
Odgovor korisniku/ci @taviso
could be if you use SendInput or SetCursorPos to get around UIPI.
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Tavis Ormandy 31. pro
Odgovor korisniku/ci @CE2Wells
That's what UIPI is supposed to prevent. If you know a way around it, that's probably a real vulnerability, because you could (for example) do it to the consent dialog..
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Felix aka [xi-tauw] 31. pro
Odgovor korisniku/ci @taviso
I converted this into UAC bypass some time ago.
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
MaTt 31. pro
Odgovor korisniku/ci @taviso
Agreed, although I see that cobalt strike has a UAC bypass which asks the victims to click on yes or no, so, If UAC bypass operation should happen without interaction, why does the method of Cobalt strike UAC bypass asks the victim to click yes or no to get the administrator?
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Ori Damari 1. sij
Odgovor korisniku/ci @harr0ey @taviso
I guess the method in cobalt strike is used to "trick" to user to click yes. UAC is not meant to prevent stupid users from clicking yes.. The method in cobalt strike is not really a UAC bypass either..
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
bohops 30. pro
Odgovor korisniku/ci @taviso
I was always under the impression that the goal of UAC bypass was to run an elevated payload without interaction. Maybe such cases where interaction avoids the "sanity prompt" can be considered a bypass as well? I think its a stretch, IMO.
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Yunhai Zhang 31. pro
Odgovor korisniku/ci @taviso
If this is a UAC bypass, then almost all high integrity process with UI is a UAC bypass, so ...
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Ori Damari 1. sij
Odgovor korisniku/ci @taviso
This is not a UAC bypass. Look here for another example:
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"