Anyone who’s anyone in security is today discussing CVE-2019-1388, a Windows privilege escalation vulnerability that exists in almost every Windows version from Windows 7 (including server versions). Kudos for the discovery goes to Zero Day Initiative contributor Eduardo Braun Prado, who unearthed the tasty vulnerability on 19th November 2019.
The vuln exists in the Windows User Account Control (UAC) interface and is trivial to exploit – as you’ll find out later. NIST has assigned it a base score of 7.8, which means it falls into the ‘high’ severity bracket and is not one to ignore.
User Account Control (UAC), for those who don’t know, is a mechanism for restricting access and allowing accounts to run applications as other users or administrators. Introduced in Windows Vista, it has existed in every Windows version since.
When Windows shows the UAC prompt it creates a virtual desktop known as the secure desktop, which has strict permissions in place because it runs with system privileges. This is where the vulnerability begins.
The secure desktop and elements within have little in the way of interactivity; and the more elements with user input, the likelier it is that a method to abuse it exists. As with this vulnerability, there is an object ID that existed on older signed executables that would render a clickable hyperlink within the certificate information page (as can be seen in the images from our lab below).
When clicked, the UAC starts a browser process and attempts to navigate to the link. This browser is not started within the context of the secure desktop, so when you dismiss all the dialogues you are presented with an application running as system that can then be used to access and start other applications.
While there are many excellent blog posts on this vulnerability, there is no better way to learn than by doing. That’s why we’ve made our CVE-2019-1388 lab available to you for free. Simply register here for Immersive Labs Lite, click on the ‘Emerging Threats’ objective, and have fun!