MSI Packages Symbolic Links Processing – Windows 10 Privilege Escalation

• Exploit Database
• 16 阅读

• 作者： nu11secur1ty
  日期： 2020-02-17
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/48079/

• # Exploit Title:MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation
  # Author: nu11secur1ty
  # Date: 2020-02-14
  # Vendor: Microsoft
  # Link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty
  # CVE: CVE-2020-0683
  
  
  [+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)
  [+] Website: https://www.nu11secur1ty.com/
  [+] Source:readme from GitHUB
  [+] twitter.com/nu11secur1ty
  
  
  [Exploit Program]
  Link:
  https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty
  
  
  [Vendor]
  Microsoft
  
  
  [Vulnerability Type]
  Windows Installer Elevation of Privilege Vulnerability
  
  [CVE Reference]
  
  An elevation of privilege vulnerability exists in the Windows Installer
  when MSI packages process symbolic links. An attacker who successfully
  exploited this vulnerability could bypass access restrictions to add or
  remove files.
  
  To exploit this vulnerability, an attacker would first have to log on to
  the system. An attacker could then run a specially crafted application that
  could exploit the vulnerability and add or remove files.
  
  The security update addresses the vulnerability by modifying how to reparse
  points are handled by the Windows Installer.
  
  
  [Security Issue]
  Elevation of Privilege from user to C:\Windows\administartion execution
  files
  
  
  [References]
  
  # CVE-2020-0683
  Original Poc sent to MSRC.
  Assigned to CVE-2020-0683 - Windows Installer Elevation of Privilege
  https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0683
  
  Source code for Visual Studio C++ 2019
  
  Inside "nu11secur1ty" you'll find the exploit (exe) to execute.
  
  # Note:
  
  This test is using `system.ini` in c:\Windows\system.ini
  When you exploit this file you should replace with the original file
  `system.ini` after this test, which you will find in CVE-2020-0683
  directory :)
  
  --------------------------------------------------------------------------
  
  - - How to run the exploit
  
  Go into "nu11secur1ty" directory and from a cmd console launch:
  
  - for the test
  
  MsiExploit.exec:\Windows\system.ini"
  
  Be sure that both "MsiExploit.exe" and "foo.msi" reside in the same directory.
  
  - Disclaimer:
  
   The entry creation date may reflect when the CVE ID was allocated or
  reserved, and does not necessarily indicate when this vulnerability
  was discovered, shared with the affected vendor, publicly disclosed,
  or updated in CVE.
  
  
  - @nu11secur1ty
  
  
  [Network Access]
  Local
  
  
  [Disclosure Timeline]
  02/11/2020
  
  [Disclaimer]
  
   The entry creation date may reflect when the CVE ID was allocated or
  reserved, and does not necessarily indicate when this vulnerability
  was discovered, shared with the affected vendor, publicly disclosed,
  or updated in CVE.
  
  
  nu11secur1ty
  --