lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 14 Feb 2020 23:05:43 +0100
From: Imre Rad <radimre83@...il.com>
To: bugtraq@...urityfocus.com
Subject: CVE-2020-0728: Windows Modules Installer Service Information
 Disclosure Vulnerability

The TrustedInstaller service running on the Windows operating system
hosts a COM service called Sxs Store Class; its ISxsStore interface
provides methods to install/uninstall assemblies via application
manifests files into the WinSxS store. These API methods were meant to
be available for users with administrative privileges only, but the
logic was unintentionally exposed to anyone on the system due to
improper implementation of the authorization logic.

Source files referenced by the manifest can be abused via junction
points and thus getting the service made a copy of arbitrary files in
the context of NT_AUTHORITY\SYSTEM. Repository with proof of concept
code: https://github.com/irsl/CVE-2020-0728

The wcp framework (the codebase behind processing the manifest files)
is quite complex and features various 'installers' (e.g.
GenericCommand execution among the 'advanced' ones) - making this flaw
an attractive attack surface for privilege escalation - , but the
interface accessible above seems to be limited to only the 'primitive
installers'.

Microsoft's patch was released 02/11/2020; the official advisory can
be found here: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0728

Powered by blists - more mailing lists