In 2017, DZone wrote a really cool article about a windows exploit that a German student discovered that takes advantage of the trusted binary ‘fodhelper.exe’ that is a part of windows. It is located in System32 and is signed by Microsoft, so when you run it, the UAC prompt (pictured below), which is normally required to run a program as an administrator, is not required.
The student found that fodhelper.exe looks for additional commands to execute in these two registry keys:
and that he could manipulate the contents of those keys to execute any command he wanted with administrative privileges.
The DZone article made some Python code as an example. I edited the code to show some good examples of how this could be use maliciously.
Essentially, I made a script that asked: ask/force. The ask option created a UAC prompt that elevated the script and executed a command of the user’s choosing; the force option used the exploit to do the same without any UAC prompt.
At this point, windows defender detected the exploit as harmful and removed it.
In an attempt to combat this, I used PyInstaller to compile the Python script into an executable binary, which surprisingly prevented windows defender from recognising it as harmful.
Below I am showing how it could be used to create an elevated command prompt
It writes the command I have typed in (cmd.exe) to the registry key, and runs fodhelper.exe. An elevated command prompt then opens:
From this command prompt I could wipe my hard drive, get all wi-fi passwords, copy work, delete system files, etc. — all with no further permissions.
This is inexcusable. The world’s leading operating system on factory settings is this easily attacked when the vulnerability has been known for over three years.
Since it is a single executable file, this could be implemented as a payload in a Microsoft Word document exploit or similar styled attack and easily have access to an entire system.
Currently, the only way to prevent this is by not having administrator accounts, which for a lot of people would be extremely inconvenient.
Thanks for tuning in and I’ll see you in the next post.
Previously published at https://seberry.medium.com/windows-insecurity-10c33aa8f5db