CVE-2019-0841 BYPASS #2

vendor:

Microsoft Edge

by:

Unknown

7.8

CVSS

HIGH

Bypass

284

CWE

Product Name: Microsoft Edge

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE: CVE-2019-0841

CPE: a:microsoft:microsoft_edge

Metasploit: https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2019-5060/, https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2019-5057/, https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2019-5058/, https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2019-5059/, https://www.rapid7.com/db/vulnerabilities/msft-cve-2019-0841/

Other Scripts:

Platforms Tested: Windows

2019

This exploit allows an attacker to bypass CVE-2019-0841 by deleting files and subfolders within a specific directory, causing Microsoft Edge to crash and then write the DACL while impersonating the SYSTEM. The bug is not restricted to Edge and can potentially be triggered with other packages as well. The bug can be triggered silently without Edge popping up, by launching Edge once and then minimizing or closing it. The exploit can be executed programmatically, using methods like sendinput.

Mitigation:

No known mitigation or remediation for this vulnerability

Source

Exploit-DB raw data:

CVE-2019-0841 BYPASS #2

There is a second bypass for CVE-2019-0841.

This can be triggered as following:

Delete all files and subfolders within "c:\users\%username%\appdata\local\packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\" (atleast the ones we can delete as user)

Try to launch edge. It will crash the first time.

When we launch it a second time, it will write the DACL while impersonating "SYSTEM".

The trick here is to launch edge by clicking it on the taskbar or desktop, using "start microsoft-edge:" seems to result in correct impersonation.

You can still do this completely programmatically.. since edge will always be in the same position in the task bar.. *cough* sendinput *cough*. There is probably other ways too.

Another note, this bug is most definitely not restricted to edge. This will be triggered with other packages too. So you can definitely figure out a way to trigger this bug silently without having edge pop up. Or you could probably minimize edge as soon as it launches and close it as soon as the bug completes. I think it will also trigger by just launching edge once, but sometimes you may have to wait a little. I didn't do extensive testing.. found this bug and quickly wrote up a poc, took me like 2 hours total, finding LPEs is easy.

To repro:
1. Launch my poc
2. Launch edge several times

Use video demo as guidance. Also, I don't get paid for dropping bugs, so if you want a simple and full exploit, then go fucking write it yourself, I have better things to do, such as preparing my voyage into the arctic. You're welcome.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!IMPORTANT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Make sure you have multiple cores in your VM (not multiple processors, multiple cores).

It's going to increase the thread priority to increase our odds of winning the race condition that this exploits. If your VM freezes it means you either have 1 core or set your vm to have multiple processors instead of multiple cores... which will also cause it to lock up.

EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46976.zip