MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation

EDB-ID:

48079




Platform:

Windows

Date:

2020-02-17


# Exploit Title:  MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation
# Author: nu11secur1ty
# Date: 2020-02-14
# Vendor: Microsoft
# Link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty
# CVE: CVE-2020-0683


[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)
[+] Website: https://www.nu11secur1ty.com/
[+] Source:  readme from GitHUB
[+] twitter.com/nu11secur1ty


[Exploit Program]
Link:
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty


[Vendor]
Microsoft


[Vulnerability Type]
Windows Installer Elevation of Privilege Vulnerability

[CVE Reference]

An elevation of privilege vulnerability exists in the Windows Installer
when MSI packages process symbolic links. An attacker who successfully
exploited this vulnerability could bypass access restrictions to add or
remove files.

To exploit this vulnerability, an attacker would first have to log on to
the system. An attacker could then run a specially crafted application that
could exploit the vulnerability and add or remove files.

The security update addresses the vulnerability by modifying how to reparse
points are handled by the Windows Installer.


[Security Issue]
Elevation of Privilege from user to C:\Windows\administartion execution
files


[References]

# CVE-2020-0683
Original Poc sent to MSRC.
Assigned to CVE-2020-0683 - Windows Installer Elevation of Privilege
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0683

Source code for Visual Studio C++ 2019

Inside "nu11secur1ty" you'll find the exploit (exe) to execute.

# Note:

This test is using `system.ini` in c:\Windows\system.ini
When you exploit this file you should replace with the original file
`system.ini` after this test, which you will find in CVE-2020-0683
directory :)

--------------------------------------------------------------------------

- - How to run the exploit

Go into "nu11secur1ty" directory and from a cmd console launch:

- for the test

MsiExploit.exe  c:\Windows\system.ini"

Be sure that both "MsiExploit.exe" and "foo.msi" reside in the same directory.

- Disclaimer:

 The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.


- @nu11secur1ty


[Network Access]
Local


[Disclosure Timeline]
02/11/2020

[Disclaimer]

 The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.


nu11secur1ty
--