Guides, Privilege Escalation, Windows

Windows Privilege Escalation – Insecure GUI Applications

Introduction

Certain applications may be running or may be allowed to run with higher privileges than the current user due to their need to access particular system files or simply due to misconfigurations. Since anything done within the said application will be executed with the privileges of the process, if it allows to perform other actions such as opening a command prompt or running executables those will also be executed with high privileges, therefore allowing to escalate privileges.

Identifying Exploitable Application

The easiest way to identify applications that may be vulnerable to this is to check running processes using tasklist:

tasklist /V | findstr [Application Name]

Instead of filtering for the application name, the username can also be used, such as admin/administrator or NT AUTHORITY\SYSTEM.

Example 1: Microsoft Paint

Microsoft Paint has a feature that allows users to open files, and they don’t necessarily have to be images. This can be done by navigating to File–>Open:

This will allow to run a binary with the same privileges as the Paint process, for example by entering the following in the navigating bar will open a command prompt:

file://c:/windows/system32/cmd.exe

The following screenshot shows a command prompt being opened as the “admin” user:

Example 2: File Explorer

Other applications that allow browsing files or run executable files will also result in privilege escalation. For example, File Explorer allows users to open a PowerShell session from the “File” menu:

Alternatively, the “Windows Help and Support” feature can be used (Windows + F1), which will allow to search for “command prompt”, and open a new session by clicking on “Click to open Command Prompt”.

Conclusion

Although GUI apps may often look harmless, as at first sight they only allow to do basic things such as modifying pictures or documents, if run with elevated privileges they may result in a full system compromise.