Microsoft indicate that they think probably won't have a bulletin. 

As this is likely to be considered a UAC only bypass and might not be fixed I'm providing more context for potential issues.

When a UIAccess program executes it not only sets a special flag in the process token but it also increases the integrity level of the token. The IL increase is to bypass UIPI. How much of an increase depends on the type of user being elevated. For split-token administrators this increase is from Medium to High (the assumption being it needs to interact with elevated admin processes which also run at High IL). For a normal user the current IL is taken (so Medium is 0x2000) and 0x10 is added to it. So the result of this increase is to elevate the IL to being just above the current IL, so in this case 0x2010. If you start a new UIAccess program from an existing one the IL is not increased. 

It's possible to circumvent this and allow a normal user to elevate their token to High IL by exploiting this situation. A normal user can drop their UIAccess privileges using the SetTokenInformation API. So by dropping UIAccess before creating a new process we can ratchet up the IL in 0x10 increments until we hit the maximum limit of High.

This has potential implications if there are resources which either do incorrect administrator checks using just the IL or resources which are marked with High IL. A simple example is the root of the C drive. On Windows 8.1 it has an IL label with the following SDDL options, (OI)(NP)(IO)(NW). This means that any object created inherits the IL (though not containers), the IL is only applied to inheritance and isn't propagated and finally a lower IL can't write to the resource. The DACL allows for files to be modified by normal users but restricts that through the IL. Therefore a normal user which can reach High IL can modify certain files in the root of the C drive, by default there's nothing of interest (bootmgr doesn't have the right DACL) but potentially other software might add files which are security critical. 

To address another potential concern with regards to the requirement that the file is signed with a trusted certificate it's sufficient to place the root cert into the current user's trusted root certificate store. It does not need to be in the local machine store. While the normal UI framework shows confirmation prompts they are not required or enforced by any higher privileged process. Therefore from an attacker perspective it would be possible for malicious code to register a trusted cert and perform the elevation without requiring administrator privileges. 

Correspondence Date: 10 Feb 2015

> Microsoft indicate that they do consider this a UAC issue so this doesn't meet the bar for a security bulletin. Changes might be considered for a future version of Windows.

Microsoft have confirmed that they will not be fixing this issue. Marking as WontFix and de-restricting. 

Hi, can you please elaborate a little bit on the signing process?
I did some changes on your binary but I am getting "Didn't get UIAccess level" - I'm guessing
that I need to resign my new binary with a new certificate.
Lastly having UIAccess means that I would be able to create a new file in e.g. C:\, right?
Thanks!

p.s. I found how to sign the binary, it turns out that I neither have write access to C:\ nor I can spawn a cmd with sys privileges. It's something else that it's out of my expertise but thanks for your research.