Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Is an arbitrary file deletion anything other than a denial of service (DoS)? To me, I would have said no, but this article shows us how this can be useful on Windows to escalate privileges.

Why would we think this wouldn't be helpful? Well, it MUST be something that fails open, if the file is deleted. Additionally, Windows OS files are locked behind the TrustedInstaller , which cannot be overwritten by system. So, what is useful to delete then?

Adelhamid Naceri found this exact type of vulnerability in Windows via the User Profile Service running as SYSTEM. The author turned to the Windows Installer for privilege escalation, which is responsible for installing applications with .msi extensions.

The Windows installer must have rollback functionality for when an installation goes poorly. Namely, if a file is deleted with a newer version and the installation fails, then a copy is saved just in case the changes need to be reverted. In order to do this, the installer service creates a folder named C:\Config.Msi. In this folder are .rbs (rollback scripts) and older versions of some files.

If an attacker can delete this folder while this process was taking place, they could add in scripts that would run as SYSTEM. The next trick is for an arbitrary file deletion instead of an arbitrary folder rename/deletion. But, this only required one additional trick: abusing the NTFS file system.

In Windows, each folder has metadata stored in a seperate file. For instance, C:\MyFolder would have a file called C:\MyFolder::$INDEX_ALLOCATION. If the metadata file is deleted, then it essentially deletes the entire folder. By specifying the metadata file to some of the Windows commands, this can happen.

Finally, the author details a technique for escalating privilege in a situation where the contents of the folder are deleted but we do not control the files themselves. In minimum words, it abuses symlinks within oplock callbacks in order to delete the C:\Config.msi folder.

These techniques turned a seemingly useless vulnerability into a powerful privilege escalation. It is interesting to see how this exploit primitive was developed!