
Windows: "AppX Deployment Service" (AppXSVC) elevation of privilege vulnerability

Class: Local Elevation of Privileges

Description:
This PoC exploits a vulnerability in the "AppX Deployment Service" (AppXSVC) and
if it works it assigns the "Modify" right for the "Authenticated Users" group on the target file (on which we need to have at least Read permission).
It first creates a junction pointing to a chosen directory where is placed a hardlink to a file of which we don't have the permission to write.
Launching Edge the first time causes the process to crash and it takes SYSTEM ownership of the mounted directory.
We change the DACL of that directory. With this trick, the next time we'll launch Edge, AppxSvc service tries to do some operations 
impersonating the "normal" user but it fails to handle the junction and the hardlink!
Final result: as a side effect, I guess, the AppxSvc service writes DACL to the target file ,.
You'll not have a FULL CONTROL of the file, but "NT AUTHORITY\Authenticated User" will have MODIFY right permission granted on target file.

One of the trickie thing is that the directory we use as junction point is created in "C:\" 
In this way, the the default permissions of the directory are the following :

c:\fooDir NT AUTHORITY\SYSTEM:(F)
          NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(WDAC,WO,GA)
          BUILTIN\Administrators:(I)(OI)(CI)(F)
          NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
          BUILTIN\Users:(I)(OI)(CI)(RX)
          NT AUTHORITY\Authenticated Users:(I)(M)
          NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

As we can see "NT AUTHORITY\Authenticated Users:(I)(M)" , Modify right for "Authenticated Users" are inherithed by defaul from "C:\"
I have the feeling that this is an important part of the vulnerability (a key); given the fact that AppxSvc improperly handles 
permissions on juntion and hardlinks (we see that it fails with errors), after that, when the service writes the DACL on the file it seems that 
"transfers" all the inherited permissions to it. I have experimented a little bit with directory permissions (Inherit/Contain Inherit/Object Inherit) 
and so on.. and it seems like that.

** Be careful ** :
1) Hardlink can be created only for files of which we have at least Read permission (and only to files on the same volume).
2) You can't take control of all files that are owned by "NT SERVICE\TrustedInstaller", but there are still a lot of system files owned by "NT AUTHORITY\SYSTEM" that we can target.


The following steps are required to execute the exploit. (Logic flow)

1) Check if exists directory ""C:\Users\{Environment.UserName}\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
If not, launch Edge for the first time to create that directory.

2) Check if there are any Microsoft Edge running processes. In that case, kill all the processes.
We need this, because inside "C:\Users\{Environment.UserName}\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings" directory
reside files "settings.dat" "settings.dat.LOG1" "settings.dat.LOG2" that are exclusively locked by Edge process. So we need to kill it to delete the directory.

3) Create temporary directory in C:\ , it will inherit  "NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)" from the parent folder;
this is the directory we will use as mountpoint.  Create the hardlink to the targetted file within this directory.

4) Delete the local user directory for the Microsof Edge package appX :
"C:\Users\{Environment.UserName}\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings"
I have chosen MicrosoftEdge , but it works for any other Packaged Apps that write into direcorty "C:\Users\{Environment.UserName}\AppData\Local\Packages\".
(I think every Appx writes within that directory)  Example : WindowsCamera, WindowsCalculator.. and so on.. 

5) Create a junction (even mlink /J ... is OK to create it) from  "C:\Users\{Environment.UserName}\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings"
to the mount directory (the one we've created in point 3).

6) Launch Microsoft Edge, it will crash and AppxSvc takes SYSTEM ownership of the directory created in point 3.

7) Removes permissions for current user and S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194 from that directory created in point 3.
It seems that SID (S-1-15-2-*) comes out from Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.MicrosoftEdge_44.17763.1.0_neutral__8wekyb3d8bbwe\PackageSid
and it is a capabilities key for Ms Edge.

8) Clear directory files from the mounted directory (created in point 3) and re-create the hardlink to the targetted file inside this directory.

9) Re-create junction from "C:\Users\{Environment.UserName}\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings" to the directory (created in point 3).

9) Start Edge again. It will trigger an error and during this process it writes DACl over the target file.

10) Now the target file should be modifiable (it can also be deleted) from "NT AUTHORITY\Authenticated Users"  ->  NT AUTHORITY\Authenticated Users:(I)(M)


Platform:
This has been tested on a fully patched system (latest patch -> June 2019) :
OS Edition:              Microsoft Windows 10 Enterprise N
Os Version:              1809
OS Version Info:         10.0.17763 N/A Build 17763.503

Additional Info
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuldLabEx  = 17763.1.amd64fre.rs5_release.180914-1434


Expected result:
It should open Microsoft Edge

Observed result :
It will write permissions to the target file



Christian Danieli ( @padovah4ck )