exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

AppXSvc 17763 Arbitrary File Overwrite

AppXSvc 17763 Arbitrary File Overwrite
Posted Dec 11, 2019
Authored by Gabor Seljan

AppXSvc 17763 suffers from an arbitrary file overwrite vulnerability.

tags | exploit, arbitrary
advisories | CVE-2019-1476
SHA-256 | f1735f16db48e7cb806324e884766f170f7bba8f7e0ade0bca0f572a339eb95d
Download | Favorite | View

AppXSvc 17763 Arbitrary File Overwrite

Change Mirror Download
# Exploit Title: AppXSvc 17763 - Arbitrary File Overwrite (DoS)
# Date: 2019-10-28
# Exploit Author: Gabor Seljan
# Vendor Homepage: https://www.microsoft.com/
# Version: 17763.1.amd64fre.rs5_release.180914-1434
# Tested on: Windows 10 Version 1809 for x64-based Systems
# CVE: CVE-2019-1476

# Summary:
# AppXSvc improperly handles file hard links resulting in a low privileged user
# being able to overwrite an arbitrary file leading to elevation of privilege.

# Description:

# An elevation of privilege vulnerability exists when the AppX Deployment Server
# (AppXSvc) improperly handles file hard links. While researching CVE-2019-0841
# originally reported by Nabeel Ahmed, I have found that AppXSvc can be forced
# to overwrite an arbitrary file by deleting all registry data files before
# creating the file hard link. As Nabeel Ahmed described in his write-up of
# CVE-2019-0841, if the settings.dat file is corrupted it will be replaced with
# the original settings.dat template. However, additional settings.dat.LOG1 and
# settings.dat.LOG2 files are also created during the initialization process.
# Substituting the settings.dat.LOG1 or the settings.dat.LOG2 file with a hard
# link allows a low privileged user to overwrite an arbitrary file with registry
# data or just simply empty it, respectively. A low privileged user could exploit
# this vulnerability to cause denial of service by overwriting critical system
# files.

Steps to reproduce:
1. Terminate Paint 3D processes.
2. Delete settings.* files in Microsoft.MSPaint_8wekyb3d8bbwe\Settings folder.
3. Create a hard link from settings.dat.LOG1 to C:\Windows\win.ini.
4. Execute the start ms-paint: command to run Paint 3D.
5. Terminate Paint 3D processes.

Expected result:
It isn't possible to overwrite a file not writable by a low privileged user.

Observed result:
C:\Windows\win.ini file is overwritten with registry data.

References:
https://github.com/sgabe/CVE-2019-1476
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1476
https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close