104 lines
No EOL
2.7 KiB
Text
104 lines
No EOL
2.7 KiB
Text
# Exploit Title: MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation
|
|
# Author: nu11secur1ty
|
|
# Date: 2020-02-14
|
|
# Vendor: Microsoft
|
|
# Link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty
|
|
# CVE: CVE-2020-0683
|
|
|
|
|
|
[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)
|
|
[+] Website: https://www.nu11secur1ty.com/
|
|
[+] Source: readme from GitHUB
|
|
[+] twitter.com/nu11secur1ty
|
|
|
|
|
|
[Exploit Program]
|
|
Link:
|
|
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty
|
|
|
|
|
|
[Vendor]
|
|
Microsoft
|
|
|
|
|
|
[Vulnerability Type]
|
|
Windows Installer Elevation of Privilege Vulnerability
|
|
|
|
[CVE Reference]
|
|
|
|
An elevation of privilege vulnerability exists in the Windows Installer
|
|
when MSI packages process symbolic links. An attacker who successfully
|
|
exploited this vulnerability could bypass access restrictions to add or
|
|
remove files.
|
|
|
|
To exploit this vulnerability, an attacker would first have to log on to
|
|
the system. An attacker could then run a specially crafted application that
|
|
could exploit the vulnerability and add or remove files.
|
|
|
|
The security update addresses the vulnerability by modifying how to reparse
|
|
points are handled by the Windows Installer.
|
|
|
|
|
|
[Security Issue]
|
|
Elevation of Privilege from user to C:\Windows\administartion execution
|
|
files
|
|
|
|
|
|
[References]
|
|
|
|
# CVE-2020-0683
|
|
Original Poc sent to MSRC.
|
|
Assigned to CVE-2020-0683 - Windows Installer Elevation of Privilege
|
|
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0683
|
|
|
|
Source code for Visual Studio C++ 2019
|
|
|
|
Inside "nu11secur1ty" you'll find the exploit (exe) to execute.
|
|
|
|
# Note:
|
|
|
|
This test is using `system.ini` in c:\Windows\system.ini
|
|
When you exploit this file you should replace with the original file
|
|
`system.ini` after this test, which you will find in CVE-2020-0683
|
|
directory :)
|
|
|
|
--------------------------------------------------------------------------
|
|
|
|
- - How to run the exploit
|
|
|
|
Go into "nu11secur1ty" directory and from a cmd console launch:
|
|
|
|
- for the test
|
|
|
|
MsiExploit.exe c:\Windows\system.ini"
|
|
|
|
Be sure that both "MsiExploit.exe" and "foo.msi" reside in the same directory.
|
|
|
|
- Disclaimer:
|
|
|
|
The entry creation date may reflect when the CVE ID was allocated or
|
|
reserved, and does not necessarily indicate when this vulnerability
|
|
was discovered, shared with the affected vendor, publicly disclosed,
|
|
or updated in CVE.
|
|
|
|
|
|
- @nu11secur1ty
|
|
|
|
|
|
[Network Access]
|
|
Local
|
|
|
|
|
|
[Disclosure Timeline]
|
|
02/11/2020
|
|
|
|
[Disclaimer]
|
|
|
|
The entry creation date may reflect when the CVE ID was allocated or
|
|
reserved, and does not necessarily indicate when this vulnerability
|
|
was discovered, shared with the affected vendor, publicly disclosed,
|
|
or updated in CVE.
|
|
|
|
|
|
nu11secur1ty
|
|
-- |