Share
# Exploit Title: MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation  
# Author: nu11secur1ty  
# Date: 2020-02-14  
# Vendor: Microsoft  
# Link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty  
# CVE: CVE-2020-0683  
  
  
[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)  
[+] Website: https://www.nu11secur1ty.com/  
[+] Source: readme from GitHUB  
[+] twitter.com/nu11secur1ty  
  
  
[Exploit Program]  
Link:  
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty  
  
  
[Vendor]  
Microsoft  
  
  
[Vulnerability Type]  
Windows Installer Elevation of Privilege Vulnerability  
  
[CVE Reference]  
  
An elevation of privilege vulnerability exists in the Windows Installer  
when MSI packages process symbolic links. An attacker who successfully  
exploited this vulnerability could bypass access restrictions to add or  
remove files.  
  
To exploit this vulnerability, an attacker would first have to log on to  
the system. An attacker could then run a specially crafted application that  
could exploit the vulnerability and add or remove files.  
  
The security update addresses the vulnerability by modifying how to reparse  
points are handled by the Windows Installer.  
  
  
[Security Issue]  
Elevation of Privilege from user to C:\Windows\administartion execution  
files  
  
  
[References]  
  
# CVE-2020-0683  
Original Poc sent to MSRC.  
Assigned to CVE-2020-0683 - Windows Installer Elevation of Privilege  
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0683  
  
Source code for Visual Studio C++ 2019  
  
Inside "nu11secur1ty" you'll find the exploit (exe) to execute.  
  
# Note:  
  
This test is using `system.ini` in c:\Windows\system.ini  
When you exploit this file you should replace with the original file  
`system.ini` after this test, which you will find in CVE-2020-0683  
directory :)  
  
--------------------------------------------------------------------------  
  
- - How to run the exploit  
  
Go into "nu11secur1ty" directory and from a cmd console launch:  
  
- for the test  
  
MsiExploit.exe c:\Windows\system.ini"  
  
Be sure that both "MsiExploit.exe" and "foo.msi" reside in the same directory.  
  
- Disclaimer:  
  
The entry creation date may reflect when the CVE ID was allocated or  
reserved, and does not necessarily indicate when this vulnerability  
was discovered, shared with the affected vendor, publicly disclosed,  
or updated in CVE.  
  
  
- @nu11secur1ty  
  
  
[Network Access]  
Local  
  
  
[Disclosure Timeline]  
02/11/2020  
  
[Disclaimer]  
  
The entry creation date may reflect when the CVE ID was allocated or  
reserved, and does not necessarily indicate when this vulnerability  
was discovered, shared with the affected vendor, publicly disclosed,  
or updated in CVE.  
  
  
nu11secur1ty  
--