This means that, if we found a privileged file write vulnerability in Windows or in some third-party software, we could copy our own version of windowscoredeviceinfo.dll into C:\Windows\Sytem32\ and then have it loaded by the USO service to get arbitrary code execution as NT AUTHORITY\System. There is even an undocumented built-in tool called usoclient.exe, which serves that purpose.įrom an attacker's standpoint, this service is interesting because it runs as NT AUTHORITY\System and it tries to load a non-existent DLL ( windowscoredeviceinfo.dll) whenever an Update Session is created. check whether updates are available) or start the download of pending updates for example. As a regular user, you can interact with this service using COM, and start an "update scan" (i.e. Starting from Windows 10, Microsoft introduced the Update Session Orchestrator service. which was fixed by Microsoft starting from build version 1903. It provides an alternative to the DiagHub DLL loading "exploit" found by James Forshaw (a.k.a. This PoC shows a technique that can be used to weaponize privileged file write vulnerabilities on Windows. This means that, although it still works on the mainstream version of Windows 10, you should expect it to be patched in the coming months. ⚠️ Update: this trick no longer works on the latest builds of Windows 10 Insider Preview.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |