enSilo senior security researcher Yotam Gottesman has discovered a simple method of bypassing the Windows User Account Control (UAC) mechanism that affects all supported Windows versions, which in some exploitation scenarios leads to attackers executing commands with elevated privileges.
The technique Gottesman discovered relies on the methods used to interact and control environment variables.
Windows environment variables are a set of temporary settings that are specific to each Windows process and are inherited by their child processes, which can read and write their values.
Windows-level environment variables and their capabilities
Unknown to the vast majority of users is that there are a class of system-wide environment variables that apply to the entire Windows operating system.
These include details like the user's current username, the PC's domain, and file paths for various folders such as the Windows OS, AppData, user profile, and so on.
This set of environment variables are stored in the Windows Registry, hence they are automatically persistent across reboots and can also be modified by any user via "set" or "setx" commands.
