Microsoft Windows 10 MSI Privilege Escalation

2020.02.18
Credit: nu11secur1ty
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-264


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation # Author: nu11secur1ty # Date: 2020-02-14 # Vendor: Microsoft # Link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty # CVE: CVE-2020-0683 [+] Credits: Ventsislav Varbanovski (@ nu11secur1ty) [+] Website: https://www.nu11secur1ty.com/ [+] Source: readme from GitHUB [+] twitter.com/nu11secur1ty [Exploit Program] Link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty [Vendor] Microsoft [Vulnerability Type] Windows Installer Elevation of Privilege Vulnerability [CVE Reference] An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and add or remove files. The security update addresses the vulnerability by modifying how to reparse points are handled by the Windows Installer. [Security Issue] Elevation of Privilege from user to C:\Windows\administartion execution files [References] # CVE-2020-0683 Original Poc sent to MSRC. Assigned to CVE-2020-0683 - Windows Installer Elevation of Privilege https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0683 Source code for Visual Studio C++ 2019 Inside "nu11secur1ty" you'll find the exploit (exe) to execute. # Note: This test is using `system.ini` in c:\Windows\system.ini When you exploit this file you should replace with the original file `system.ini` after this test, which you will find in CVE-2020-0683 directory :) -------------------------------------------------------------------------- - - How to run the exploit Go into "nu11secur1ty" directory and from a cmd console launch: - for the test MsiExploit.exe c:\Windows\system.ini" Be sure that both "MsiExploit.exe" and "foo.msi" reside in the same directory. - Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - @nu11secur1ty [Network Access] Local [Disclosure Timeline] 02/11/2020 [Disclaimer] The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. nu11secur1ty --


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top