In today's post we'll look at yet another way to bypass UAC using the Display Color Calibration tool, hereafter referred to as "DCCW".
DCCW has already been exploited in the past to bypass UAC, more specifically, by leveraging DLL sideloading:
DccwBypassUACThis research started by helping out a friend with display issues some months ago, and stumbling upon the DCCW tool, or more specifically, the following blog post:
Using the Display Color Calibration Tool (DCCW.exe) in Windows 7 to Get the Most From your DisplayBeing inspired by
Matt Nelson, I decided to have a closer look as to how and why this may be a UAC bypass.
What follows below is purely a Proof of Concept, as you would already need to have compromised the machine (or bypassed UAC, or let the user allow) in order to execute this.
Regardless, it can be used for persistence, and I'd still like for you to following along on my journey inside the wondrous world of UAC bypasses :-)
This has been tested on: Windows 10 and Windows 8.1 x64 and x86.
Prerequisites:
- User has to be member of the local administrator group.
- UAC is ... already disabled, or at a low setting, or the user confirmed the UAC prompt.
DCCW is a Microsoft signed binary and will auto-elevate itself due to its manifest.
 |
| Figure 1 - verified, signed Microsoft binary (using Sigcheck) |
 |
| Figure 2 - autoElevate is set to 'true' |
Running through the DCCW wizard, we can happily click next, until the end of the wizard the following is displayed:
 |
| Figure 3 - end of DCCW wizard |
Note the automatically enabled or ticked checkbox:
"
Start ClearType Tuner when I click Finish to ensure that text appears correctly (Recommended)"
Launching
procmon and executing DCCW; the following can be observed:
 |
| Figure 4 - DCCW loading CTTune |
As you notice, DCCW attempts to open, and read, the subkey in:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution OptionsImage File Execution Options (IFEO) has several uses, and can for example be used to prevent a program from starting, For example, in the past, malware has abused IFEO to hijack processes of antivirus programs, so they would not be able to start.
Back on topic, creating an IFEO using CTTune, we can start anything at the highest integrity (and circumvent the UAC prompt) ... Including PowerShell :-)
 |
| Figure 5 - Launch of DCCW, note the High integrity |
and...
 |
| Figure 6 - PowerShell started with High integrity (normal level of integrity is Medium) |
To try this yourself, create a new key in:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options named
CTTune.exe, consequently create a new value named 'Debugger' and in the Data section, place whatever you want. Example:
 |
| Figure 7 - CTTune IFEO |
End-result:
 |
| Figure 8 - PowerShell running as administrator, with highest integrity |
This attack is more theoretical, rather than practical, due to the need for initial admin permissions, the DCCW wizard appearing, and the user having the need to click through. The main point here is that no UAC windows will appear asking the user for permission, once the IFEO is set, and DCCW is started. Some other points to consider:
- Users love to click on things, especially 'Next' in wizards :-)
- You can try social engineering to entice the user in allowing UAC, & clicking through
- You can try extending the PowerShell script below, by simulating mouse clicks or button presses in PowerShell - effectively impersonating the user.
You may find the PowerShell script here on Github:
https://github.com/bartblaze/dccwUACBypassIf I made any mistake(s) in the script, please do let me know!
Finding UAC bypassesIf you like to try new things, then trying to find a UAC bypass can definitely prove to be a challenge and fun! While my story here was both successful and not - I found a theoretical UAC bypass, but with limitations, it's still good to go out of your way and do something you're less familiar with.
For finding UAC bypasses, or other strange, weird or old Windows artifacts and binaries, I can definitely recommend the following tools:
Process Explorer
https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspxProcess Monitor
https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspxSigcheck
https://technet.microsoft.com/en-us/sysinternals/bb897441.aspxPEViewer/RogueKillerPE
http://www.adlice.com/download/roguekillerpe/IDA Pro Free:
https://www.hex-rays.com/products/ida/support/download_freeware.shtmlA Windows system, and a
C:\Windows\System32 and/or
C:\Windows\SysWOW64 folder.
Additionally, have a look at the Resources section at the end of this post.
PreventionObviously, you would like to prevent these specific bypasses from ever occurring. Please find below some recommendations I've compiled:
Additionally, have a look at the Resources section at the end of this post.
ConclusionsUAC bypasses are an interesting domain: while Microsoft seems to take a 'lighter' approach in regards to these specific bypasses, it doesn't mean they aren't being looked at. For example, latest releases of
Windows 10 fix several UAC bypasses.
My hope is that, by accumulating the info in this blog post and following along my journey, you may find other UAC bypasses, or other cool stuff lying around :-)
Keep in mind that UAC bypasses are definitely out there in the wild - not only by pentesters, but also by attackers, whether cybercrime or APTs.
As always, feedback is appreciated.
ResourcesDefeating Windows User Account Control (UACME)
Dridex Returns With Windows UAC Bypass MethodEnigma0x3's blog (tons of good stuff in there)
PowerShell-Suite/Bypass-UACUser Account Control: Inside Windows 7 User Account ControlUser Account Control Step-by-Step Guide
