In this 3rd part of "Offensive Windows", I'll be writing about a local privilege escalation possibility that exists in the application
This whole vulnerability exists due to a nature of
fodhelper.exe which requires administrative privileges to launch and if the user didn't have it, it would go ahead and automatically elevate its privileges without prompting the user with the usual UAC prompt seen below!
This could be abused where we could trigger another application to launch with the permissions
fodhelper.exe has. Such as an admin command prompt shell.
The first step would be to launch the application and monitor for any abnormal activities. Which doesn't seem to be the case with my install of Windows. The next step would be to scan the application's binary with
sigcheck.exe. Sigcheck is part of Microsoft's Sysinternals Suite which can be downloaded for free.
C:\Tools\SysinternalsSuite>sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe
Here we are able to see that the
Requested Execution Level is
AutoElevate is set to
True. This is exactly what we are going to exploit. Moving on, we are going to use
Procmon.exe another application that comes packaged with Microsoft's Sysinternals Suite.
fodhelper.exe with procmon open shows all all the actions and tasks that
fodhelper attempts to execute. With the help of the following filters we are able to identify a few registry key's that are queried by
fodhelper.exe that are non existent.
The filters are for:
- Monitoring the process =
- Checking the Operation for
- Checking the Result
NAME NOT FOUND
- Checking the Path =
This is what we are returned when
fodhelper.exe is relaunched with
procmon running. We can clearly see that
fodhelper is requesting a non existent key
So how we take advantage of this is, we create a new key of that
path and set cmd to open as the
value. Commands =
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f
- Create a new key
- Specify Value & Type
- Set the Value to open up
Now, once we open fodhelper, the following will happen.
We can see that an admin command prompt shell has opened up in the background and we now have full system wide access! Privesc donzo!