## https://sploitus.com/exploit?id=14128AF4-DC57-5DF7-A420-8F7346569ECF
# CVE-2025-63945 Tencent iOA EoP
Version : before 210.9.28693.62001
Summary: I discovered a vulnerability in Tencent PC Manager where files and directories under C:\Windows\Temp are insecurely handled. An attacker can leverage symbolic link (symlink) attacks to coerce a SYSTEM-privileged process into deleting arbitrary files, resulting in local privilege escalation. Specifically, a process named LegacyKB_ioa_win.exe is periodically launched when using the โioaโ component. During operation, it creates a TencentDownload directory under the Temp folder, downloads files into it, and subsequently performs deletions as SYSTEM. Due to insufficient path validation and unsafe deletion logic, this behavior can be abused to delete attacker-chosen files with SYSTEM privileges.
It was observed the process "LegacyKB_*.exe" will do the following with SYSTEM privilege :
1. When a new version or hotfix is available, the iOA component downloads and executes a Legacy_*.exe from the internet.
2. Legacy_*.exe checks for the presence of the TencentDownload directory under C:\Windows\Temp; if it does not exist, it creates it.
3. Legacy_*.exe creates a subdirectory named with a tilde prefix (e.g., ~) inside TencentDownload.
4. At the end, Legacy_*.exe uses SYSTEM privileges to delete the ~* subdirectory inside TencentDownload.
Since the directory "C:\Windows\Temp\TencentDownload" could be created by current user and assigned with "Modify" privilege for current user, current user could modify and read the entire directory. With this setup, an unprivileged user is able to achieve arbitrary file delete by creating a symbolic link to a privileged location (e.g., C:\Windows\System32). Furthermore, a malicious user could achieve local privilege escalation from arbitrary file/folder delete.
To perform LPE by arbitrary file/folder delete , the user could perform follow steps:
1. User create folder "C:\Windows\Temp\TencentDownload"
2. User set OpLock on folder "C:\Windows\Temp\TencentDownload\~*" once we observe the any ~ prefix folder are created
4. The process "Legacy_*.exe" will attempt to remove folder "C:\Windows\Temp\TencentDownload\~*" with SYSTEM privilege.
5. The process "Legacy_*.exe" will be paused due to the OpLock
6. When OpLock is triggered, user move file "C:\Windows\Temp\TencentDownload\~*" to somewhere else to empty the folder
7. User create junction "C:\Windows\Temp\TencentDownload\" to "\RPC Control"
8. User create symbolic link "GLOBAL\GLOBALROOT\RPC Control\~*" to target folder/file (e.g., C:\Windows\System32\secrets)
9. User release OpLock
10. User delete symbolic link
11. Target file/folder (e.g., C:\Windows\System32\secrets) would be deleted
PoC video :https://drive.google.com/file/d/1RXQgaNBDeopurcP63xmhMXDM7stHaIzO/view?usp=sharing