header-logo
Suggest Exploit
vendor:
by:
N/A
CVSS
HIGH
Low Privilege File Hijack
CWE
Product Name:
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows

Low Privilege File Hijack Vulnerability

This vulnerability allows low privileged users to hijack files owned by NT AUTHORITYSYSTEM by overwriting permissions on the targeted file. Successful exploitation results in "Full Control" permissions for the low privileged user. The exploit involves checking if the targeted file exists, killing Microsoft Edge to access the settings.dat file, deleting the settings.dat file to create a hardlink to the targeted file, and triggering the vulnerability by restarting Microsoft Edge. Finally, a check is performed to verify that the current user has "Full Control" permissions.

Mitigation:

To mitigate this vulnerability, ensure that low privileged users do not have the ability to modify file permissions or access sensitive files.
Source

Exploit-DB raw data:

This vulnerability allows low privileged users to hijack file that are owned by NT AUTHORITY\SYSTEM by overwriting permissions on the targeted file. Successful exploitation results in "Full Control" permissions for the low privileged user. 

1. The exploit first checks if the targeted file exists, if it does it will check its permissions. Since we are using Microsoft Edge for this exploit it will kill Microsoft Edge in order to get access to the settings.dat file. 
2. After Microsoft Edge is killed it will check for the "setting.dat" file and delete it in order to create a hardlink to the requested targeted file (in our case that was the HOSTS file) 
3. Once a hardlink is created Microsoft Edge is fired up again to trigger the vulnerability. Concluding with a final check if indeed "Full Control" permissions have been set for the current user.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46683.zip