Follow the Link: Exploiting Symbolic Links with Ease by Eran Shimony.
In the first part, we will explore the attack vector for abusing privileged file operations bugs along with how to fix those bugs. To start, we will walk through CVE-2019-1161, a vulnerability in Windows Defender that can be exploited to achieve Escalation of Privileges (EoP), which Microsoft released a patch for it in August patch Tuesday.
Hundreds of millions of Windows machines –- any machine running Windows 7 and above – are vulnerable to the arbitrary delete vulnerability. A malicious user can abuse Windows Defender to delete any file he wants with NT AUTHORITY\SYSTEM privileges. The vulnerability lies in a process named MpSigStub.exe, which is executed by Windows Defender with high privileges. This process suffers from an impersonation issue that could lead to EoP using Object Manager symlinks.
Prepare for the 2020 election season by refreshing your memory on Windows hacks. If MS marketing is to be believed, 1.5 billion people use Windows every day. Odds are an office or organization of interest to you uses Windows.
Shimony’s walk through on symbolic links leaves us at:
Nevertheless, we can either create a file in an arbitrary location or delete any desired file that might lead to full privilege escalation in certain cases.
It’s a starting place and I’m looking forward to the next installment!