Results 1 to 2 of 2

Thread: UAC/Manifest Annoyance: "a referral was returned from the server"

  1. #1
    nick_name
    Guest

    Lightbulb UAC/Manifest Annoyance: "a referral was returned from the server"

    I am playing with a VC8 executable on 64bit Windows 7 which started showing me the following error after patching:

    "a referral was returned from the server"
    After a little digging deeper, I found out the executable comes with the following "assembly manifest" [1] resource:

    Code:
    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
    <dependency>
    <dependentAssembly>
    <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*">
    </assemblyIdentity>
    </dependentAssembly>
    </dependency>
    
    <dependency>
    <dependentAssembly>
    <assemblyIdentity type="win32" name="wc.sqlceca35" version="1.0.0.0">
    </assemblyIdentity>
    </dependentAssembly>
    </dependency>
    
    <dependency>
    <dependentAssembly>
    <assemblyIdentity type="win32" name="wc.sqlceoledb35" version="1.0.0.0">
    </assemblyIdentity>
    </dependentAssembly>
    </dependency>
    
    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
    <requestedPrivileges>
    <requestedExecutionLevel level="asInvoker" uiAccess="true">
    </requestedExecutionLevel>
    </requestedPrivileges>
    </security>
    </trustInfo>
    
    <application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings>
    <ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="http://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings>
    </application>
    </assembly>
    Reading through the references [1],[2] made it clear that UAC (User Access Control) will not allow running modified binary with invalid digital signature (which is a consequence of the patching). One can disable UAC completely or change the manifest in the executable.

    UAC reads the following part in the manifest to impose access control that got into the error.

    Code:
    <security>
    <requestedPrivileges>
    <requestedExecutionLevel level="asInvoker" uiAccess="true">
    </requestedExecutionLevel>
    </requestedPrivileges>
    </security>
    "uiAccess=true" provides two tier of security:
    1. executable has to have a valid digital signature. (which most possibly means having to buy a certificate from Microsoft to perform the signing operation.)
    2. executable has to be stored securely (e.g.; Program Files) otherwise the flag is ignored.


    To get rid of the "referral was returned" error ...
    1. one could to change `uiAccess="false"` (eg. with PE explorer)
    2. replace each letter of `uiAccess="true"` with space (0x20)


    There could be many other sane way around. Nonetheless, option-2 doesn't require changing the PE header and size, so creating patch with DUP-2 remains a few click away.

    UAC is somewhat new to me since I skipped Vista completely and made a migration to Windows 7 from XP. But, it was good to know some useful features hidden inside UAC. Hope the information helps someone. Happy reversing.

    [-?-] Wondering if anyone has attempted restoring corrupted digital signature to a valid signature on windows executables ?

    [1] http://msdn.microsoft.com/en-us/library/aa374219%28v=VS.85%29.aspx
    [2] http://social.msdn.microsoft.com/forums/en-US/windowssecurity/thread/4d2e1358-af95-4f4f-b239-68ec7e2525a9/
    Last edited by nick_name; December 2nd, 2010 at 01:55.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Thanks for sharing.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

Similar Threads

  1. Replies: 0
    Last Post: February 13th, 2014, 07:42
  2. Replies: 1
    Last Post: December 14th, 2007, 13:35
  3. removing "server check"
    By boron in forum The Newbie Forum
    Replies: 4
    Last Post: March 5th, 2004, 16:21
  4. Setting up a broadcast socket in a LAN as "license server"
    By DakienDX in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: February 17th, 2001, 08:37

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •