Breaking Barriers and Assumpti... Note

Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 1

Over the years, there has been a significant increase in the number of link following vulnerabilities submitted to the ZDI program. These vulnerabilities often involve programmatically exploiting race conditions and are found in applications that run with elevated privileges and perform file operations. To find these vulnerabilities, researchers identify file operations that create, modify, or delete files in locations accessible to standard users and then check for the absence of checks for user-created links. Several strategies employed by developers to prevent link following include using the FILE_FLAG_OPEN_REPARSE_POINT flag, checking for a reparse tag, using protected and hidden files, and impersonation. However, not all of these methods are effective.One promising technique involved exploiting improper impersonation, but a September 2023 Microsoft mitigation (ObpUseSystemDeviceMap) limits this technique to file lookups on the system drive. Vulnerabilities in AVG and Avast products demonstrate link following privilege escalation bugs with failed checks. In one case, a denial-of-service condition could be created by exploiting the absence of link following prevention during directory creation. In another case, local privilege escalation could be achieved by abusing a race condition during file path reconstruction after file restoration from quarantine. These vulnerabilities highlight the importance of properly preventing link following in applications that perform file operations with elevated privileges.