paint-brush
Vulnerability Of Windows: The Truthby@seberry
173 reads

Vulnerability Of Windows: The Truth

by Sam BerryNovember 15th, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

A German student discovered a windows exploit that takes advantage of the trusted binary ‘fodhelper.exe’ that is a part of windows. It is located in System32 and is signed by Microsoft, so when you run it, the UAC prompt is not required. The DZone article made some Python code as an example. I edited the code to show some good examples of how this could be use maliciously. The only way to prevent this is by not having administrator accounts, which for a lot of people would be extremely inconvenient.

Company Mentioned

Mention Thumbnail
featured image - Vulnerability Of Windows: The Truth
Sam Berry HackerNoon profile picture

In 2017, DZone wrote a really cool article about a windows exploit that a German student discovered that takes advantage of the trusted binary ‘fodhelper.exe’ that is a part of windows. It is located in System32 and is signed by Microsoft, so when you run it, the UAC prompt (pictured below), which is normally required to run a program as an administrator, is not required.

The student found that fodhelper.exe looks for additional commands to execute in these two registry keys:

Software\Classes\ms-settings\shell\open\command\(default)
Software\Classes\ms-settings\shell\open\command\DelegateExecute

and that he could manipulate the contents of those keys to execute any command he wanted with administrative privileges.

The DZone article made some Python code as an example. I edited the code to show some good examples of how this could be use maliciously.

Essentially, I made a script that asked: ask/force. The ask option created a UAC prompt that elevated the script and executed a command of the user’s choosing; the force option used the exploit to do the same without any UAC prompt.

At this point, windows defender detected the exploit as harmful and removed it.

In an attempt to combat this, I used PyInstaller to compile the Python script into an executable binary, which surprisingly prevented windows defender from recognising it as harmful.

Below I am showing how it could be used to create an elevated command prompt

It writes the command I have typed in (cmd.exe) to the registry key, and runs fodhelper.exe. An elevated command prompt then opens:

From this command prompt I could wipe my hard drive, get all wi-fi passwords, copy work, delete system files, etc. — all with no further permissions.

This is inexcusable. The world’s leading operating system on factory settings is this easily attacked when the vulnerability has been known for over three years.

Since it is a single executable file, this could be implemented as a payload in a Microsoft Word document exploit or similar styled attack and easily have access to an entire system.

Currently, the only way to prevent this is by not having administrator accounts, which for a lot of people would be extremely inconvenient.

Thanks for tuning in and I’ll see you in the next post.

Previously published at https://seberry.medium.com/windows-insecurity-10c33aa8f5db