Vulnerability Of Windows: The Truth

Written by seberry | Published 2020/11/15
Tech Story Tags: cybersecurity | hacking | privacy | exploit | authentication-exploits | python | programming | windows

TLDR A German student discovered a windows exploit that takes advantage of the trusted binary ‘fodhelper.exe’ that is a part of windows. It is located in System32 and is signed by Microsoft, so when you run it, the UAC prompt is not required. The DZone article made some Python code as an example. I edited the code to show some good examples of how this could be use maliciously. The only way to prevent this is by not having administrator accounts, which for a lot of people would be extremely inconvenient.via the TL;DR App
In 2017, DZone wrote a really cool article about a windows exploit that a German student discovered that takes advantage of the trusted binary ‘fodhelper.exe’ that is a part of windows. It is located in System32 and is signed by Microsoft, so when you run it, the UAC prompt (pictured below), which is normally required to run a program as an administrator, is not required.
The student found that fodhelper.exe looks for additional commands to execute in these two registry keys:
Software\Classes\ms-settings\shell\open\command\(default)
Software\Classes\ms-settings\shell\open\command\DelegateExecute
and that he could manipulate the contents of those keys to execute any command he wanted with administrative privileges.
The DZone article made some Python code as an example. I edited the code to show some good examples of how this could be use maliciously.
Essentially, I made a script that asked: ask/force. The ask option created a UAC prompt that elevated the script and executed a command of the user’s choosing; the force option used the exploit to do the same without any UAC prompt.
At this point, windows defender detected the exploit as harmful and removed it.
In an attempt to combat this, I used PyInstaller to compile the Python script into an executable binary, which surprisingly prevented windows defender from recognising it as harmful.
Below I am showing how it could be used to create an elevated command prompt
It writes the command I have typed in (cmd.exe) to the registry key, and runs fodhelper.exe. An elevated command prompt then opens:
From this command prompt I could wipe my hard drive, get all wi-fi passwords, copy work, delete system files, etc. — all with no further permissions.
This is inexcusable. The world’s leading operating system on factory settings is this easily attacked when the vulnerability has been known for over three years.
Since it is a single executable file, this could be implemented as a payload in a Microsoft Word document exploit or similar styled attack and easily have access to an entire system.
Currently, the only way to prevent this is by not having administrator accounts, which for a lot of people would be extremely inconvenient.
Thanks for tuning in and I’ll see you in the next post.
Previously published at https://seberry.medium.com/windows-insecurity-10c33aa8f5db
Written by seberry | student programmer
Published by HackerNoon on 2020/11/15
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy