module
AppXSvc Hard Link Privilege Escalation
| Disclosed | Created |
|---|---|
| 2019-04-09 | 2019-07-15 |
Disclosed
2019-04-09
Created
2019-07-15
Description
There exists a privilege escalation vulnerability for
Windows 10 builds prior to build 17763. Due to the AppXSvc's
improper handling of hard links, a user can gain full
privileges over a SYSTEM-owned file. The user can then utilize
the new file to execute code as SYSTEM.
This module employs a technique using the Diagnostics Hub Standard
Collector Service (DiagHub) which was discovered by James Forshaw to
load and execute a DLL as SYSTEM.
Windows 10 builds prior to build 17763. Due to the AppXSvc's
improper handling of hard links, a user can gain full
privileges over a SYSTEM-owned file. The user can then utilize
the new file to execute code as SYSTEM.
This module employs a technique using the Diagnostics Hub Standard
Collector Service (DiagHub) which was discovered by James Forshaw to
load and execute a DLL as SYSTEM.
Authors
Nabeel Ahmed
James Forshaw
Shelby Pace
James Forshaw
Shelby Pace
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.