A Year of Windows Privilege Escalation Bugs
Earlier last year I came across an article by Provadys (now Almond) highlighting several bugs they had discovered based on research by James Forshaw of Google’s Project Zero. The research focused on the exploitation of Windows elevation of privilege (EOP) vulnerabilities using NTFS junctions, hard links, and a combination of the two Forshaw coined as Windows symlinks. James also released a handy toolset to ease the exploitation of these vulnerabilities called the symbolic testing toolkit. Since they have done such an excellent job describing these techniques already, I won’t rehash their inner workings. The main purpose of this post is to showcase some of our findings and how we exploited them.
My initial target set was software covered under a bug bounty program. After I had exhausted that group I moved on to Windows services and scheduled tasks. The table below details the vulnerabilities discovered and any additional information regarding the bugs.
Vendor |
Arbitrary File |
ID |
Date Reported |
Reference |
Reward |
(private) |
Write |
Undisclosed |
04/06/2019 |
Hackerone |
500 |
Ubiquiti |
Delete |
CVE-2020-8146 |
04/08/2019 |
Hackerone |
667 |
Valve |
Write |
CVE-2019-17180 |
05/16/2019 |
Hackerone |
1250 |
(private) |
Write |
Undisclosed |
04/19/2019 |
Bugcrowd |
600 |
Thales |
Write |
CVE-2019-18232 |
10/15/2019 |
ISC-Cert |
N/A |
Microsoft |
Read/Write |
CVE-2019-1077 |
05/06/2019 |
Microsoft |
N/A |
Microsoft |
Write |
CVE-2019-1267 |
05/08/2019 |
Microsoft |
N/A |
Microsoft |
Write |
CVE-2019-1317 |
09/16/2019 |
Microsoft |
N/A |