A Year of Windows Privilege Escalation Bugs

Earlier last year I came across an article by Provadys (now Almond) highlighting several bugs they had discovered based on research by James Forshaw of Google’s Project Zero. The research focused on the exploitation of Windows elevation of privilege (EOP) vulnerabilities using NTFS junctions, hard links, and a combination of the two Forshaw coined as Windows symlinks. James also released a handy toolset to ease the exploitation of these vulnerabilities called the symbolic testing toolkit. Since they have done such an excellent job describing these techniques already, I won’t rehash their inner workings. The main purpose of this post is to showcase some of our findings and how we exploited them.


My initial target set was software covered under a bug bounty program. After I had exhausted that group I moved on to Windows services and scheduled tasks. The table below details the vulnerabilities discovered and any additional information regarding the bugs.

Vendor Arbitrary File ID Date Reported Reference Reward
(private) Write Undisclosed 04/06/2019 Hackerone 500
Ubiquiti Delete CVE-2020-8146 04/08/2019 Hackerone 667
Valve Write CVE-2019-17180 05/16/2019 Hackerone 1250
(private) Write Undisclosed 04/19/2019 Bugcrowd 600
Thales Write CVE-2019-18232 10/15/2019 ISC-Cert N/A
Microsoft Read/Write CVE-2019-1077 05/06/2019 Microsoft N/A
Microsoft Write CVE-2019-1267 05/08/2019 Microsoft N/A
Microsoft Write CVE-2019-1317 09/16/2019 Microsoft N/A