Vigil@nce - Windows: privilege escalation via User Profile Service
January 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use the User Profile Service of Windows, in order
to escalate his privileges.
Impacted products: Windows 2003, Windows 2008 R0, Windows 2008 R2,
Microsoft Windows 2012, Windows 7, Windows 8, Windows RT, Windows
Vista
Severity: 2/4
Creation date: 12/01/2015
Revision date: 13/01/2015
DESCRIPTION OF THE VULNERABILITY
When a user authenticates on Windows, the User Profile Service
(ProfSvc) create directories and mounts registry hives. However,
some operations are potentially dangerous.
If an attacker can create C:\Users, he can use a junction to force
the service to create a sub-directory anywhere. [severity:1/4]
An attacker can change his %TMP% or %TEMP% with "..\", in order to
force the service to create a temporary directory anywhere.
[severity:2/4]
An attacker can use EnsurePreCreateKnownFolders, in order to
change the integrity level of a directory. [severity:1/4]
An attacker can use a junction, in order to read the UsrClass.dat
hive file of another user. [severity:2/4]
An attacker can therefore use the User Profile Service of Windows,
in order to escalate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Windows-privilege-escalation-via-User-Profile-Service-15946