After finding CVE-2019-1064 and CVE-2019-1253, I was sure there's still something vulnerable in AppXSvc. (Microsoft never fixed something completely they always leave something vulnerable).

The root cause of CVE-2019-0841 and CVE-2019-1064 and CVE-2019-1130 was an incorrect impersonation, instead of just impersonating the user and do file operation on it's hive, it impersonate itself, which can be easily abused using hardlink.

Hardlink are invented by microsoft as an NTFS filesystem feature, this feature basically is linking files between themself, it link everything like ACL, the content of the file, the size, attributes and everything. But it can be abused, since it link everything it can be abused, let's say if we called SetSecurityFile on a hardlink, the acl will change on both hardlink and target

Let's take an example this CVE,

after I was randomly looking for UWP apps file, I saw this

and as you can see the ownership is given to SYSTEM and not the current user, which mean the app that create the file isn't impersonating the user instead it run as itself "NT AUTHORITY\SYSTEM" which can be easily abused.

let's take a look in process monitor:

Every attempt to open file MicrosoftEdge.exe is done while impersonating the current user, everything look fine until the AppXSvc open the file for write access

sound like no impersonation made to open file for writing, it's a security issue.

The Second CreateFile call is specifying OverwriteIf in open disposition

This just look like *nock nock I am a security vulnerability", it's clearly vulnerable to an arbitrary file overwrite vulnerability.

Writing Poc

For now am going to write the poc with c# instead of c++ ( cause I forget some c# basic, so am going to improve my c# skills)

string NTAuthoritySystem = @"NT AUTHORITY\SYSTEM";
string appLocalData = Environment.GetFolderPath((Environment.SpecialFolder.LocalApplicationData));
string WindowsAppsDir = $@"{appLocalData}\Microsoft\WindowsApps";
string MSEdgePackageName = "Microsoft.MicrosoftEdge_8wekyb3d8bbwe";
string EdgeExeName = "MicrosoftEdge.exe";
string MSEdgeExe1 = $@"{WindowsAppsDir}{MSEdgePackageName}{EdgeExeName}";
//Just For Testing
//string MSEdgeExe2 = $@"{WindowsAppsDir}\Backup{EdgeExeName}";
string MSEdgeBackupDir = $@"{WindowsAppsDir}\Backup";
//string MSEdgeExe3 = $@"{WindowsAppsDir}\Backup{MSEdgePackageName}{EdgeExeName}";
Console.ForegroundColor = ConsoleColor.DarkRed;
Console.WriteLine("# Author : Abdelhamid Naceri");
Console.ResetColor();

those lines will initialize variables for later user,

if (!Directory.Exists(args[0]) && !File.Exists(args[0]))
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[!] Invalid Argument");
Console.ResetColor();
return;
}

this is the first check to make sure that the given argument is a file or directory if yes the poc will begin exploitation by deploying MS-Edge and abusing the privileged file operation with hardlink and reparse point (also known as junction) just check the poc.

This is a demo video that show file overwrite\creation vulnerability

That was a funny bug !

Thank You For Reading :)