Security News > 2021 > November > Unpatched Windows Zero-Day Allows Privileged File Access

In a proof-of-concept exploit, he demonstrated that it's possible to copy files from a chosen location into a Cabinet archive that the user can then open and read. I mean this is still unpatched and allow LPE if shadow volume copies are enabled; But I noticed that it doesn't work on windows 11 https://t.

"The resulting.CAB file is then stored in the C:UsersPublicPublic DocumentsMDMDiagnostics folder, where the user can freely access it."

CAB file is copied into the Windows Temp folder, a local attacker can pounce.

The adversary would simply create a file shortcut link with a predictable file name that would normally be used in the normal export process, pointing to a target folder or file that the attacker would like to access.

"Our patch is placed immediately before the call to CopyFileW that opens the source file for copying, and uses the GetFinalPathNameByHandleW function to determine whether any junctions or other types of links are used in the path. If they are, our patch makes it look as it the CopyFileW call has failed, thereby silently bypassing the copying of any file that doesn't actually reside in C:WindowsTemp."

Windows Servers are not affected, and neither are Windows 11, Windows 10 v1803 and older Windows 10 versions.

News URL

https://threatpost.com/unpatched-windows-zero-day-privileged-file-access/176609/