Zero Day Initiative | Blog
Follow
Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks (Archive)
In March 2021, researcher Abdelhamid Naceri reported a vulnerability in the User Profile service that allowed for an arbitrary file delete as SYSTEM. This vulnerability can be exploited to gain SYSTEM privileges by leveraging the Windows Installer service. The exploit technique involves creating a dummy C:\Config.Msi folder, setting an oplock, triggering the folder delete vulnerability, and then replacing the folder with a malicious version that contains rollback scripts. The Windows Installer service will then install an .msi file with custom actions, which will trigger a rollback and drop a malicious DLL. The exploit can also be adapted for use with file delete primitives by deleting the index allocation stream of a folder, and for folder contents delete primitives by deleting the contents of an attacker-writable folder.