We have confirmed this POC to work and in fact provide read access to a chosen file that the initiating user didn't have read access to. https://twitter.com/Evil_Polar_Bear/status/1075605011105767424 …
-
This Tweet is unavailable.
-
Replying to @0patch
I haven't seen anything other than a pegged CPU. The VM in question has 4 cores. ¯\_(ツ)_/¯pic.twitter.com/HHMFcJQDLd
1 reply 0 retweets 1 like -
Replying to @wdormann
It is a race condition issue, and your race was lost :) Did you also try the desktop.ini from another user?
2 replies 0 retweets 1 like -
Replying to @0patch
I've narrowed it down to: If you set the "Deny" permission for "Authenticated Users", this exploit will not successfully be able to read the file in question (it'll just peg the CPU and never return). How my one snapshot ended up with my "limited" user with full privs, ¯\_(ツ)_/¯pic.twitter.com/jEsz5Xj01c
1 reply 0 retweets 1 like -
Replying to @wdormann
1) Makes sense: Local System is a member of Authenticated Users so it can't access the file. 2) One of your previously tested exploits worked and put the limited user in the admin group?
1 reply 0 retweets 1 like -
Replying to @0patch
First part seems OK. It's the second part that is mind-boggling to me. Somehow along the way, the C:\Users\test_user directory was set to give full access to the "limited" user. I can't imagine how I would have accidentally made this happen, but I also can't reproduce it.pic.twitter.com/Gy4KKK8RN1
1 reply 0 retweets 1 like
Mystery solved! If you browse to a directory you don't have access to, upon authentication you will *permanently* get access to the directory, as well as the *files contained within*! I never noticed "permanently", nor did I realize that it affects any ACLs set via inheritance.pic.twitter.com/Y3LxV1Iilj
-
-
Replying to @wdormann
Ah yes, this is one of the ugliest " shoot yourself in the foot" features in Windows.
0 replies 0 retweets 3 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.