A researcher at IOActive, a cyber security company, discovered a privilege escalation vulnerability in Windows that can be exploited by abusing games from the Microsoft Store.
The vulnerabilities detected under the CVE-2020-16877 number, which are of great seriousness, affect Windows 10 and Windows Server. It was adopted by Microsoft with patch updates on Tuesday before October 2020.
Donato Ferrante, senior security consultant at IOActive and employee of Microsoft’s vulnerability report, published a blog post this week explaining the CVE-2020-16877 and some attack scenario theories. He showed how an attacker with a standard user account can use this loophole to increase system privileges in Windows 10.
Ferrante discovered a vulnerability after Microsoft announced that it allowed changes for some games in the Microsoft Store. Changes allow Users to make unofficial changes to the game in order to change its behavior or appearance.
The researcher downloaded a game that supports mods and analyzed the process of its installation, which according to him was done at higher resolutions. He discovered that an attacker can abuse this process to gain privileges by overwriting or deleting random files on the system.
To do this, the attacker must use symbolic links (symlinks). Sim links are shortcuts, but we know that they can be abused to write, modify or delete files that can be used to increase permissions.
Ferrante created sim links between the ModifiableWindowsApps folder that Microsoft had created to save the games that could be changed and the folder that was on another drive that it could open. This allowed him to intercept the installation process and get more permissions on the system, both by overwriting files and uninstalling them.
However, the attack requires the attacker to change the settings in the Windows memory to store new applications on a drive to which he has access and install the game from the Microsoft Store.
The researcher demonstrated the potential impact of the vulnerability by creating a shell that works with SYSTEM rights, starting with the default user account.
The attack scenario described by Ferrante contains steps that are visible on the screen, such as installing the game from the Microsoft Store and changing the memory settings, which increases the victim’s chance of detecting the attack. The investigator told SecurityWeek that some of these actions could be hidden, but he did not investigate further.
Microsoft stated that it did not expect that the vulnerability in nature would be exploited.
That’s what it looks like: Windows vulnerabilities exploited for code execution, privilege escalation
That’s what it looks like: Out-of-range update fixing a permission error in Windows 8.1, Server 2012
@EduardKovacs – Publisher of the Safety Week. He worked for two years as a high school computer science teacher before starting a career in journalism as a security reporter for Softpedia. Edouard has a bachelor’s degree in industrial computer sciences and a master’s degree in computer engineering for electrical engineering.
Previous chronicles of Eduard Kovacs :