FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions. There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker uses CreateFile to open the destination folder for check. If CreateFile fails, the destination will be considered as a valid path. However, FlashBroker uses dwShareMode as 0 in CreateFile, which make CreateFile always fail if handle of the destination folder is held by other.
1833e423f195e8f2809219e0689a0b518a6badd8204abdb35e1d3ceaabc57452
FlashBroker is vulnerable to an NTFS junction attack to write an arbitrary file to the filesystem under user permissions. There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker only considers "\" as delimiter. If the destination includes "/", FlashBroker will use a wrong destination folder for check.
ecdb7f0d31c0d78cd25fb1e2a301573230e10f182d90e0e3e0fec1b6a16204ba