关联漏洞
标题:
Microsoft Windows User Profile Service 后置链接漏洞
(CVE-2019-0986)
描述:Microsoft Windows和Microsoft Windows Server都是美国微软(Microsoft)公司的产品。Microsoft Windows是一套个人设备使用的操作系统。Microsoft Windows Server是一套服务器操作系统。Windows User Profile Service是其中的一个用户配置文件服务组件。 Microsoft Windows User Profile Service(ProfSvc)中存在后置链接漏洞。该漏洞源于网络系统或产品未正确过滤表示非
描述
Security Research
介绍
# Security Research for FUN
All focused on Microsoft Windows OS
## CVE-2019-0986
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0986
This is the PoC I've sent to Microsoft when I reported the above vulnerability
This PoC exploits "User Profile Service" (ProfSvc.dll).
It will delete all files within an arbitrary directory despite of the permissions set on that directory
(except files that are exclusively locked by SYSTEM processes).
Requisite for this:
1) attacker user cannot have a current active session (he has to be logged-off the system).
2) attacker user must have an existing HOME directory.
This is why we are going to delete NTUSER.DAT file (in the attacker HOME directory) in order to trigger the right condition for exploitation.
So, next step: you shoud log in with another arbitrary "user_2" and exec the exploit with user_1 (attacker) credentials.
You'll find a precompiled exe bin\x64\Debug directory
```
Usage :
NtDataPoc.exe USERNAME DOMAINNAME PASSWORD DIRECTORY_TO_DELETE
Example :
NtDataPoc.exe theuser win10-dev MySecretPwd c:\secureDirectory
```
IDE VS 2015/2017 | CSproj is available. Compile platform choiche is yours: suggested is x64
This has been tested on :
```
OS Name: Microsoft Windows 10 Enterprise N
OS Version: 10.0.17763 N/A Build 17763
```
```
OS Name: Microsoft Windows 8.1 Pro
OS Version: 6.3.9600 N/D build 9600
```
---
 [Buy me a beer if you like ;-)](https://www.buymeacoffee.com/padovah4ck)
文件快照
[4.0K] /data/pocs/122c93864bdc0caeb11ac26cbefdea81f1a550f2
├── [4.0K] NtDataPoc
│ ├── [ 569] App.config
│ ├── [4.0K] bin
│ │ └── [4.0K] x64
│ │ └── [4.0K] Debug
│ │ ├── [ 28K] NtDataPoc.exe
│ │ ├── [ 569] NtDataPoc.exe.config
│ │ └── [ 40K] NtDataPoc.pdb
│ ├── [5.4K] HardLink.cs
│ ├── [ 20K] JunctionPoint.cs
│ ├── [9.8K] NativeWin32.cs
│ ├── [2.8K] NetworkConnection.cs
│ ├── [1.5K] NotepadHelper.cs
│ ├── [4.6K] NtDataPoc.csproj
│ ├── [ 396] NtDataPoc.csproj.user
│ ├── [2.1K] NtHardLink.cs
│ ├── [4.0K] obj
│ │ ├── [4.0K] Debug
│ │ │ ├── [2.9K] DesignTimeResolveAssemblyReferences.cache
│ │ │ ├── [6.7K] DesignTimeResolveAssemblyReferencesInput.cache
│ │ │ ├── [ 17K] DnsTest.csprojAssemblyReference.cache
│ │ │ ├── [ 42] DnsTest.csproj.CoreCompileInputs.cache
│ │ │ ├── [ 922] DnsTest.csproj.FileListAbsolute.txt
│ │ │ ├── [6.6K] DnsTest.csprojResolveAssemblyReference.cache
│ │ │ ├── [ 20K] DnsTest.exe
│ │ │ ├── [ 28K] DnsTest.pdb
│ │ │ ├── [ 86K] Interop.ADODB.dll
│ │ │ ├── [3.5K] Interop.APEDBSet.dll
│ │ │ ├── [ 24K] Interop.Bonjour.dll
│ │ │ ├── [ 48K] Interop.CDO.dll
│ │ │ ├── [4.0K] Interop.CertCOMLib.dll
│ │ │ ├── [ 15K] Interop.OWSSUPP.dll
│ │ │ ├── [3.5K] Interop.WEFDebug.dll
│ │ │ └── [ 72K] Interop.WUApiLib.dll
│ │ └── [4.0K] x64
│ │ └── [4.0K] Debug
│ │ ├── [ 672] DesignTimeResolveAssemblyReferences.cache
│ │ ├── [6.6K] DesignTimeResolveAssemblyReferencesInput.cache
│ │ ├── [ 18K] DnsTest.csprojAssemblyReference.cache
│ │ ├── [ 42] DnsTest.csproj.CoreCompileInputs.cache
│ │ ├── [ 452] DnsTest.csproj.FileListAbsolute.txt
│ │ ├── [ 20K] DnsTest.exe
│ │ ├── [ 32K] DnsTest.pdb
│ │ ├── [ 42] NtDataPoc.csproj.CoreCompileInputs.cache
│ │ ├── [ 394] NtDataPoc.csproj.FileListAbsolute.txt
│ │ ├── [ 28K] NtDataPoc.exe
│ │ └── [ 38K] NtDataPoc.pdb
│ ├── [ 11K] ProcExtension.cs
│ ├── [ 14K] Program.cs
│ └── [4.0K] Properties
│ └── [1.4K] AssemblyInfo.cs
└── [1.6K] README.md
9 directories, 43 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。