| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Feb 2020 23:07:16 +0100 From: Imre Rad <radimre83@...il.com> To: fulldisclosure@...lists.org Subject: [FD] CVE-2020-0728: Windows Modules Installer Service Information Disclosure Vulnerability The TrustedInstaller service running on the Windows operating system hosts a COM service called Sxs Store Class; its ISxsStore interface provides methods to install/uninstall assemblies via application manifests files into the WinSxS store. These API methods were meant to be available for users with administrative privileges only, but the logic was unintentionally exposed to anyone on the system due to improper implementation of the authorization logic. Source files referenced by the manifest can be abused via junction points and thus getting the service made a copy of arbitrary files in the context of NT_AUTHORITY\SYSTEM. Repository with proof of concept code: https://github.com/irsl/CVE-2020-0728 The wcp framework (the codebase behind processing the manifest files) is quite complex and features various 'installers' (e.g. GenericCommand execution among the 'advanced' ones) - making this flaw an attractive attack surface for privilege escalation - , but the interface accessible above seems to be limited to only the 'primitive installers'. Microsoft's patch was released 02/11/2020; the official advisory can be found here: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0728 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists