PoC code is available on the web for vulnerabilities in Windows

Security researcher Nabeel Ahmed has published a demo exploit for a vulnerability (CVE-2019-0841) privilege elevation in Windows caused by incorrect processing of hard links by AppX Deployment Service (AppXSVC) used to run Windows Apps and for install and uninstall application data.

With this vulnerability, an attacker can elevate rights in Windows 10 and Windows Server 2019, which will allow installing programs or modifying data on the system.

Security researcher Nabeel Ahmed has published a demo exploit for a vulnerability (CVE-2019-0841) privilege elevation in Windows caused by incorrect processing of hard links by AppX Deployment Service (AppXSVC) used to run Windows Apps and for install and uninstall application data.

With this vulnerability, an attacker can elevate rights in Windows 10 and Windows Server 2019, which will allow installing programs or modifying data on the system.

After analyzing how settings.dat configuration files are handled, Ahmed found that he can take complete control of virtually any file with minimal rights. The researcher demonstrated the work of the exploit on the example of Microsoft Edge. To do this, he used the Edge configuration file, running in the context of a regular user, to gain complete control over the hosts file, which only users with administrator or SYSTEM level can change.

The operation process is as follows:

1. The exploit checks whether the target file exists, and if it exists, checks its permissions. Next, it disables Microsoft Edge to access the settings.dat file.

2. In the next step, the exploit checks settings.dat and deletes it in order to create a hard link to the requested file (in this case, hosts).

3. After creating a hard link, Microsoft Edge is launched to exploit the vulnerability. The exploit then checks if Full Control permissions are set for the current user.

Source: securitylab.ru