Tested on x86 and x64 editions of Windows Vista Ultimate, though this exploit should function correctly on all x86 and x64 editions of Windows Vista.
This exploit requires an attack vector such as a Trojan horse. However, in light of the enormous success of such types of attacks in the past, and the fact that User Account Control (UAC) would be expected to protect the user from doing something particularly dangerous to the machine, this should be considered exploitable.
Non-privileged code can be used to replace shortcuts on the Start Menu and intercept elevation of privileges. Because of the way the Start Menu is constructed, users can enumerate all of the shortcuts that appear on their menus because they have read access to the folders where the shortcuts reside. The Start Menu is composited of a common folder and the specific user's folder, preferring the user folder if duplicates exist.
Using COM and the .NET Framework, a stub EXE generator can be created that will check for the presence of privilege elevation before launching the original target process (in order to not alert the user to the fact that the target is infected). The .NET CLR is installed by default on Windows Vista and so can be used as part of the attack vector.
The proof-of-concept enumerates the shortcuts on the user's menu and the common menu and creates or modified user-local shortcuts to exploitable executables via proxy EXEs. It generates the proxy executables and then writes a text file to the Windows\System32 folder once a proxy executable has been run with elevation. The proof-of-concept code is available at http://www.robpaveza.net/VistaUACExploit/PoC.zip and requires Visual Studio 2005 to compile.
A whitepaper detailing the architecture of UAC and this exploit is also available at http://www.robpaveza.net/VistaUACExploit/UACExploitWhitepaper.pdf. The whitepaper details the implementation of the Proof of Concept as well, and goes into significantly more detail than this (I'm sorry that this is short, but I've been working on writing this up for quite a while and just want it to be over).