DLL side-loading vulnerability in Microsoft signed autoelevate CompMgmtLauncher.exe - unfortunately the manifest on this file changed in Windows 10 1703 so it can no longer be used to bypass UAC. The side loading doesn't trigger in 1507-1607, this maybe exploitable in some situations but is being discarded as a dead end. There is one more of these that we've found but have been unable to exploit. This one is only useful to sideload malware in a signed executable and not for UAC.

Follow

The manifest of this binary was adjusted to run asInvoker so the autoelevate attribute is no longer honored making it useless for UAC, on systems that have the legacy manifest it could already be trivially leveraged via mscfile shell open command registry. I leveraged OneDrive to sideload the DLL so it should only impact desktops, I do not think the server versions are impacted unless they ship with OneDrive. I'll check on 2012 but I doubt it will be exploitable to bypass UAC notification.

This website was very useful to find exactly when the manifest changed, definitely worth a visit if you do any Microsoft vulnerability research and need to check system binary versions and changes. Thanks @raptor for pointing me towards this earlier today & @Rairii for suggestions - winbindex.m417z.com/

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!