Share
## https://sploitus.com/exploit?id=2C6CFACD-3EF3-53E3-8BEC-DC644B60361E
# CVE-2025-63946  Tencent PC Manager EoP

version: PCManager Version lower or equal 17.10.28554.205
Summary: I discovered a vulnerability in Tencent PC Manager where files and directories under C:\Windows\Temp are insecurely handled. An attacker can leverage symbolic link (symlink) attacks to coerce a SYSTEM-privileged process into deleting arbitrary files, resulting in local privilege escalation.During the scan process, QQPCRtp.exe, running under NT AUTHORITY\SYSTEM, moves the scanned files into this temporary directory and deletes them after the scan completes. 

It was observed the process "QQPCRTP.exee" will do the following with SYSTEM privilege when we start scanning the drive:
 
1. QQPCRTP.exe creates a subdirectory named with a uuid (e.g., {*}) inside _pcmgr_scan_tmp_.
   
3. At the end, QQPCRTP.exe uses SYSTEM privileges to delete the {*} subdirectory inside _pcmgr_scan_tmp_.

Since the directory "C:\Windows\Temp\_pcmgr_scan_tmp_" could be created by current user and assigned with "Modify" privilege for current user, current user could modify and read the entire directory. With this setup, an unprivileged user is able to achieve arbitrary file delete by creating a symbolic link to a privileged location (e.g., C:\Windows\System32). Furthermore, a malicious user could achieve local privilege escalation from arbitrary file/folder delete.

I also do not really know when will the Tencent PC Manager create the _pcmgr_scan_tmp_ folder so we need to win the race condition to create the _pcmgr_scan_tmp_ folder on Windows\Temp . Otherwise you can perform this exploit until the PC Manager re-install

To perform LPE by arbitrary file/folder delete , the user could perform follow steps:

1. User create folder "C:\Windows\Temp\TencentDownload"

2. User set OpLock on folder "C:\Windows\Temp\_pcmgr_scan_tmp_\{*}" once we observe the any {*} folder are created

4. The process "QQPCRTP.exe" will attempt to remove folder "C:\Windows\Temp\_pcmgr_scan_tmp_\{*}" with SYSTEM privilege. 

5. The process "QQPCRTP.exe" will be paused due to the OpLock

6. When OpLock is triggered, user move file "C:\Windows\Temp\_pcmgr_scan_tmp_\{*}" to somewhere else to empty the folder

7. User create junction "C:\Windows\Temp\_pcmgr_scan_tmp_\{*}" to "\RPC Control"

8. User create symbolic link "GLOBAL\GLOBALROOT\RPC Control\{*}" to target folder/file (e.g., C:\Windows\System32\secrets)

9. User release OpLock

10. User delete symbolic link

11. Target file/folder (e.g., C:\Windows\System32\secrets) would be deleted

PoC video :https://drive.google.com/file/d/1-8GngjK97cnfqHw0cB_GncUxzLLR2wpF/view?usp=sharing