SoylentNews

Skirting User Account Control on Windows 10 With fodhelper.exe

posted by Fnord666 on Thursday May 25 2017, @11:08PM   
from the another-day-another-UAC-bypass dept.

butthurt writes:

Malware authors have a new UAC bypass technique at their disposal that they can use to install malicious apps on devices running Windows 10.

Responsible for discovering this new UAC bypass method is a German student that goes online by the name of Christian B., currently working on his master's thesis, centered on UAC bypass techniques.

The technique he came up with is a variation on another Windows 10 UAC bypass method discovered by security researcher Matt Nelson in August 2016.

While Nelson's method used the built-in Event Viewer utility (eventvwr.exe), Christian's UAC bypass uses the fodhelper.exe file, located at:

C:\Windows\System32\fodhelper.exe

If this file name isn't familiar to you, this is the window that appears when you press the "Manage optional features" option in the "Apps & features" Windows Settings screen.

Both techniques work in the same way and take advantage of what's called "auto-elevation," which is a state that Microsoft assigns to trusted binaries (files signed with Microsoft certificate, and located in trusted locations such as "C:\Windows\System32").

Just like eventvwr.exe, fodhelper.exe is also a trusted binary, meaning Windows 10 won't show a UAC window when launched into execution, or when other processes spawn from the fodhelper.exe parent process.

The technique employs changing the value of a registry key to contain the command to be executed. Since fodhelper.exe is trusted, the command is executed without the UAC prompt. The article continues with how to avoid the exploit. First off, do NOT run as an Administrator by default. Second, set the UAC level to "Always notify."

—Bleeping Computer

---

Original Submission

• Re:Security is effin hard Re:Security is effin hard (Score: 1, Informative) by Anonymous Coward on Thursday May 25 2017, @11:45PM (2 children)

  by Anonymous Coward on Thursday May 25 2017, @11:45PM (#515752)

  Security *is* hard. No doubt about that!
  But Linux does cover more than 50% of all computing devices (think phones, servers and your hipster friends running Ubuntu) and easily surpasses Windows' install-base. I think its market penetration is pretty in-everyones-face and I would say an even more lucrative target than your average Win10 user's machine since servers are more powerful which is useful if you want to hijack compute time. Servers also hold (and have access to) a lot more interesting data on a lot more users and more business-critical data that the company would likely be willing to pay for if it ever gets crypto-ransommed.

  So don't be too quick with the whole "it's because Microsoft Windows is so widely used and Linux isn't"

  Parent

  Starting Score:	0		points
  Moderation		+1
  Informative=1, Total=1
  Extra 'Informative' Modifier		0
  Total Score:		1

• Re:Security is effin hard Re:Security is effin hard (Score: 2) by butthurt on Friday May 26 2017, @12:32AM (1 child)

  by butthurt (6141) on Friday May 26 2017, @12:32AM (#515769) Journal

  In the May 2017 survey [...] Microsoft gained 79 million sites, which has taken its market share up to 49.1%. This is Microsoft's highest market share in the 22-year history of the Web Server Survey [...]

  -- https://news.netcraft.com/archives/category/web-server-survey/ [netcraft.com]

  Parent

  • ''Microsoft gained 79 million sites'' (Score: 3, Informative) by Anonymous Coward on Friday May 26 2017, @02:30AM

    by Anonymous Coward on Friday May 26 2017, @02:30AM (#515792)

    One wonders: Of those, in how many cases was the visit by Netcraft the only traffic those servers got that month?
    http://www.google.com/search?tbs=li:1&q=parked.domain [google.com]

    I remember when M$ paid GoDaddy to switched all of their zero-traffic domains from Linux to Windoze in order to queer the numbers.

    -- OriginalOwner_ [soylentnews.org]

    Parent