Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation

🗓️ 17 Feb 2020 00:00:00Reported by nu11secur1tyType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 805 Views

MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation. Vulnerability in Windows Installer allows Elevation of Privilege by processing symbolic links in MSI packages

Related
Code
ReporterTitlePublishedViews
Family
0day.today		MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation Vulnerability
17 Feb 202000:00
zdt
Gitee		Exploit for Deserialization of Untrusted Data in Redhat Jboss_Enterprise_Application_Platform
8 Dec 202020:38
gitee
ATTACKERKB		CVE-2020-0686
11 Feb 202000:00
attackerkb
ATTACKERKB		CVE-2020-0683
11 Feb 202000:00
attackerkb
Circl		CVE-2020-0683
21 Sep 202104:41
circl
CISA KEV Catalog		Microsoft Windows Installer Privilege Escalation Vulnerability
3 Nov 202100:00
cisa_kev
CNVD		Microsoft Windows Installer elevation of privilege vulnerability (CNVD-2020-16837)
14 Feb 202000:00
cnvd
CVE		CVE-2020-0683
11 Feb 202021:22
cve
Cvelist		CVE-2020-0683
11 Feb 202021:22
cvelist
exploitpack		MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation
17 Feb 202000:00
exploitpack
Rows per page
# Exploit Title:  MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation
# Author: nu11secur1ty
# Date: 2020-02-14
# Vendor: Microsoft
# Link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty
# CVE: CVE-2020-0683


[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)
[+] Website: https://www.nu11secur1ty.com/
[+] Source:  readme from GitHUB
[+] twitter.com/nu11secur1ty


[Exploit Program]
Link:
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty


[Vendor]
Microsoft


[Vulnerability Type]
Windows Installer Elevation of Privilege Vulnerability

[CVE Reference]

An elevation of privilege vulnerability exists in the Windows Installer
when MSI packages process symbolic links. An attacker who successfully
exploited this vulnerability could bypass access restrictions to add or
remove files.

To exploit this vulnerability, an attacker would first have to log on to
the system. An attacker could then run a specially crafted application that
could exploit the vulnerability and add or remove files.

The security update addresses the vulnerability by modifying how to reparse
points are handled by the Windows Installer.


[Security Issue]
Elevation of Privilege from user to C:\Windows\administartion execution
files


[References]

# CVE-2020-0683
Original Poc sent to MSRC.
Assigned to CVE-2020-0683 - Windows Installer Elevation of Privilege
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0683

Source code for Visual Studio C++ 2019

Inside "nu11secur1ty" you'll find the exploit (exe) to execute.

# Note:

This test is using `system.ini` in c:\Windows\system.ini
When you exploit this file you should replace with the original file
`system.ini` after this test, which you will find in CVE-2020-0683
directory :)

--------------------------------------------------------------------------

- - How to run the exploit

Go into "nu11secur1ty" directory and from a cmd console launch:

- for the test

MsiExploit.exe  c:\Windows\system.ini"

Be sure that both "MsiExploit.exe" and "foo.msi" reside in the same directory.

- Disclaimer:

 The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.


- @nu11secur1ty


[Network Access]
Local


[Disclosure Timeline]
02/11/2020

[Disclaimer]

 The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.


nu11secur1ty
--

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Feb 2020 00:00Current
8.2High risk
Vulners AI Score8.2
CVSS 27.2
CVSS 3.17.8
EPSS0.31324
SSVC
windows 10privilege escalationvulnerabilitywindows installersymbolic linkselevation of privilegecve-2020-0683microsoftexploitnu11secur1ty
805