Vulners
Lucene search
AppXSvc 17763 - Arbitrary File Overwrite (DoS)
| Reporter | Title | Published | Views | Family All 103 |
|---|---|---|---|---|
 | Microsoft Windows - AppX Deployment Service Privilege Escalation Exploit | 10 Apr 201900:00 | – | zdt |
| Microsoft Windows - AppX Deployment Service Local Privilege Escalation (2) Exploit | 29 May 201900:00 | – | zdt |
| Microsoft Windows - AppX Deployment Service Local Privilege Escalation (3) Exploit | 7 Jun 201900:00 | – | zdt |
| Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation Exploit | 16 Jul 201900:00 | – | zdt |
| AppXSvc - Privilege Escalation Vulnerability | 16 Sep 201900:00 | – | zdt |
 | CVE-2019-0841 | 9 Apr 201900:00 | – | attackerkb |
| CVE-2019-0841: AppXSvc Hard Link Privilege Escalation | 9 Apr 201900:00 | – | attackerkb |
 | Immunity Canvas: ALPC_TAKEOVER_LPE | 9 Apr 201921:29 | – | canvas |
 | CVE-2019-0841 | 10 Apr 201908:14 | – | circl |
| CVE-2019-1476 | 9 Mar 202414:46 | – | circl |
10
# Exploit Title: AppXSvc 17763 - Arbitrary File Overwrite (DoS)
# Date: 2019-10-28
# Exploit Author: Gabor Seljan
# Vendor Homepage: https://www.microsoft.com/
# Version: 17763.1.amd64fre.rs5_release.180914-1434
# Tested on: Windows 10 Version 1809 for x64-based Systems
# CVE: CVE-2019-1476
# Summary:
# AppXSvc improperly handles file hard links resulting in a low privileged user
# being able to overwrite an arbitrary file leading to elevation of privilege.
# Description:
# An elevation of privilege vulnerability exists when the AppX Deployment Server
# (AppXSvc) improperly handles file hard links. While researching CVE-2019-0841
# originally reported by Nabeel Ahmed, I have found that AppXSvc can be forced
# to overwrite an arbitrary file by deleting all registry data files before
# creating the file hard link. As Nabeel Ahmed described in his write-up of
# CVE-2019-0841, if the settings.dat file is corrupted it will be replaced with
# the original settings.dat template. However, additional settings.dat.LOG1 and
# settings.dat.LOG2 files are also created during the initialization process.
# Substituting the settings.dat.LOG1 or the settings.dat.LOG2 file with a hard
# link allows a low privileged user to overwrite an arbitrary file with registry
# data or just simply empty it, respectively. A low privileged user could exploit
# this vulnerability to cause denial of service by overwriting critical system
# files.
Steps to reproduce:
1. Terminate Paint 3D processes.
2. Delete settings.* files in Microsoft.MSPaint_8wekyb3d8bbwe\Settings folder.
3. Create a hard link from settings.dat.LOG1 to C:\Windows\win.ini.
4. Execute the start ms-paint: command to run Paint 3D.
5. Terminate Paint 3D processes.
Expected result:
It isn't possible to overwrite a file not writable by a low privileged user.
Observed result:
C:\Windows\win.ini file is overwritten with registry data.
References:
https://github.com/sgabe/CVE-2019-1476
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1476
https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Dec 2019 00:00Current
7High risk
Vulners AI Score7
CVSS 27.2
CVSS 3.17.8
EPSS0.8265
SSVC