In 2017, DZone wrote about a windows exploit that a discovered that takes advantage of the trusted binary ‘ ’ that is a part of windows. It is located in System32 and is signed by Microsoft, so when you run it, the UAC prompt (pictured below), which is normally required to run a program as an administrator, is not required. a really cool article German student fodhelper.exe The student found that looks for additional commands to execute in these two registry keys: fodhelper.exe Software lasses s-settings hell pen ommand default) Software lasses s-settings hell pen ommand elegateExecute \C \m \s \o \c \( \C \m \s \o \c \D and that he could manipulate the contents of those keys to execute any command he wanted with administrative privileges. made some Python code as an example. I edited the code to show some good examples of how this could be use maliciously. The DZone article Essentially, I made a script that asked: ask/force. The ask option created a UAC prompt that elevated the script and executed a command of the user’s choosing; the force option used the exploit to do the same without any UAC prompt. At this point, windows defender detected the exploit as harmful and removed it. In an attempt to combat this, I used to compile the Python script into an executable binary, which surprisingly prevented windows defender from recognising it as harmful. PyInstaller Below I am showing how it could be used to create an elevated command prompt It writes the command I have typed in (cmd.exe) to the registry key, and runs fodhelper.exe. An elevated command prompt then opens: From this command prompt I could wipe my hard drive, get all wi-fi passwords, copy work, delete system files, etc. — all with no further permissions. This is inexcusable. The world’s leading operating system on factory settings is this easily attacked when the vulnerability has been known for over three years. Since it is a single executable file, this could be implemented as a payload in a or similar styled attack and easily have access to an entire system. Microsoft Word document exploit Currently, the only way to prevent this is by not having administrator accounts, which for a lot of people would be extremely inconvenient. Thanks for tuning in and I’ll see you in the next post. Previously published at https://seberry.medium.com/windows-insecurity-10c33aa8f5db
