Malware authors have a new UAC bypass technique at their disposal that they can use to install malicious apps on devices running Windows 10.

Responsible for discovering this new UAC bypass method is a German student that goes online by the name of Christian B., currently working on his master's thesis, centered on UAC bypass techniques.

The technique he came up with is a variation on another Windows 10 UAC bypass method discovered by security researcher Matt Nelson in August 2016.

While Nelson's method used the built-in Event Viewer utility (eventvwr.exe), Christian's UAC bypass uses the fodhelper.exe file, located at:

C:\Windows\System32\fodhelper.exe

If this file name isn't familiar to you, this is the window that appears when you press the "Manage optional features" option in the "Apps & features" Windows Settings screen.

UAC bypass

Both techniques work in the same way and take advantage of what's called "auto-elevation," which is a state that Microsoft assigns to trusted binaries (files signed with Microsoft certificate, and located in trusted locations such as "C:\Windows\System32").

Just like eventvwr.exe, fodhelper.exe is also a trusted binary, meaning Windows 10 won't show a UAC window when launched into execution, or when other processes spawn from the fodhelper.exe parent process.

UAC bypass piggybacks registry key

What Christian discovered was that during the execution of the fodhelper.exe binary, Windows 10 would look at two registry keys for additional commands to execute when launching the file.

Because he could edit the value of one of those registry keys, the researcher was able to pass on custom commands that would be executed in the elevated context of the fodhelper.exe file. That registry key is:

HKCU:\Software\Classes\ms-settings\shell\open\command\(default)

This technique could be weaponized if malware gains a foothold on a user's computer. The malware could use scripts to edit that specific registry key, start the fodhelper.exe file, which would then read the malicious commands passed inside the registry key and execute them behind the user's back.

Because the fodhelper.exe is an auto-elevated and trusted binary, Windows 10 would not show a UAC prompt, thinking the file executes trusted commands.

The researcher has released proof of concept (PoC) code on GitHub. His method doesn't drop files on disk, executes only in the computer's memory, and doesn't hijack any DLLs.

UAC bypass can be stopped via one simple step

Despite this, Christian's UAC bypass is not universal, as users need to be part of the operating system's administrator group. While on paper this sounds like a huge restriction, this isn't actually such a big issue on Windows, where most users utilize an admin-level account to manage their PCs.

To prevent malware from exploiting this UAC bypass technique, the security researcher recommends that users stop using administrator accounts as their default users, and set the UAC level to “Always notify,” just to be on the safe side.

There are obvious advantages to not using administrator accounts as default Windows profiles. A report published by Avecto in February 2017 has revealed that by removing admin rights, a user's computer would be protected from all the security bugs discovered in 2016 in IE, Edge, and Office, all which work only from admin-level accounts.

Exploitation of this UAC bypass is to be expected

In a private conversation with Bleeping Computer, Christian says he only researched this UAC bypass for his master's thesis, and that he has no other plans, for the time being, to explore other similar techniques.

After fellow researcher Nelson had published several UAC bypass techniques in 2016 [1, 2] and 2017 [1], miscreants added those methods to their malware. Christian fears his research will have the same fate.

"It was not developed to harm anybody. Unfortunately, I think my PoC could be attractive for malware authors," the researcher told Bleeping Computer. "It is naive to believe that nobody would use this to do bad things, but I am surprised that [my PoC] spreads so fast, although there are other working UAC bypasses out there."

The researcher pointed Bleeping Computer to a pull request that aims to integrate a version of his UAC bypass PoC in the Metasploit Framework, used by pen-testers and malware authors alike.

Once the PoC is added to the Metasploit Framework, Christian's UAC bypass technique will gain even more visibility that it has now.

"I hope that people begin to understand that they should not login with a local administrator account for daily usage," the researcher said, echoing the recommendation from his research.