I've confirmed that this works well in a fully-patched 64-bit Windows 10 system. LPE right to SYSTEM! https://twitter.com/SandboxEscaper/status/1034125195148255235 …
-
This Tweet is unavailable.Show this thread
-
Anyone tested it on the server variants yet?
1 reply 0 retweets 0 likes -
Replying to @systemfork @0xDUDE
Yes, it works on Windows Server 2016 as well.
1 reply 0 retweets 5 likes -
@wdormann Did I see correctly that this can be exploited on server 2012r2? Can you confirm/deny?1 reply 0 retweets 1 like -
Yes, Server 2012 R2 (which is apparently based off of Windows 8.1) is affected.
1 reply 1 retweet 1 like -
Is there a PoC of it in the wild or one that you could share?
1 reply 0 retweets 0 likes -
I've not seen any PoC in the wild. However, I can say with absolute certainty that Windows Server 2012 R2 allows overwriting protected files using the technique demonstrated by the public exploit for this. How you achieve code execution with it is an exercise for the reader. :)
1 reply 1 retweet 0 likes
For example here I am "harmlessly" overwriting a TTF file in the C:\Windows\Fonts directory, as a medium-integrity process. That shouldn't be possible. This action also has the side effect of leaving the overwritten files with ACLs that allow all Authenticated Users to modify it.pic.twitter.com/oEAIfCw8K1
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.