Allright, so checkdisk tends to leave this file around after doing a disk repair during bootpic.twitter.com/9oUveG6CVu
Show this thread
This is an untested thought experiment- maybe I am wrong, feel free to test it and report back. The scenario is so absurd that exploit feinschmecker will enjoy its ugly elegance. Here we go:
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
But, as unpriv user how is that relevant? We cant corrupt the disk without raw write access. And what good could we do with that file?
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Well, if you open c:\:$i30:$bitmap with file_read_attributes - your disk corrupts and checkdisk runs on next boot :) Actually any folder will do the trick- just append :$i30:$bitmap
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Now we have that file- so what? Well, unpriv users cannot create files in the root of the drive. Only folders.... So now we have a file- we can write into it, but what can we do with that name? No priv services etc. will ever open it.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
But....we can change the files shortname, that do not require permission to create a file ;) Shortnames are those progra~1 to represent files too long for old dos limitations.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
If you reply to each message in order it creates a thread, which makes the thread readable and shareable
-
That just do so i have to click on each messsage to open it when I try. I am an old fucker - I dont get the UIs you young kids finds intuitive at all..... Just recently learned you can delete a tweet with that almost invisible button
- Show replies
New conversation -
-
-
How can we use the ability to create a file with arb content in the root to get priv escalation? Well- sometimes, security decisions are based on some weird assumption. Like unpriv users cannot create files in the root of the drive.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
One such place is the updater for chrome/edge - it tries to open a file in the root. I remember that sandbox escaper told me she managed to set a permissive ACL on arb file by setting the log file location in that file. :)
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Maybe we can resurrect good old unescaped program files path?pic.twitter.com/w7B9QdfH7N
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.