Vulnerability detected in Microsoft Windows 10

Vinay Kumar 1 Reputation point
2021-02-24T07:14:03.87+00:00

With Windows 10, junction directory can be created easily from 'non-admin' account inside c:\Windows\System32.
Such actions would result in creation of junction directories UNKNOWINGLY(to Administrator) to random folders!!!

Creating the soft-link to 'c:\Windows\System32' requires admin privileges:

C:\Users\hacker>mklink c:\ProgramData\Hacker_test\test.txt c:\Windows\System32\sample.txt
Access is denied.

But creating Junction directory does not require any admin privileges, which is the SECURITY VULNERABILITY.

C:\Users\hacker>mklink /J c:\ProgramData\Hacker_test c:\Windows\System32
Junction created for c:\ProgramData\Hacker_test <<===>> c:\Windows\System32

So the higher privileged Windows Services running with NT AUTHORITY\SYSTEM privileges writing/reading logs/data/configuration can be redirected to any WINDOWS LOCATION(even to c:\Windows\System32) by 'non-admin' user(Using mkling /J).

Does Windows has released any security patch for it?
If not, How can Windows Service restrict creation of Junction directories(by 'non-admin' user) for the files(logs/data/configuration) to which it is writing/reading?

Any help, would be greatly appreciated.

Thanks,
Vinay

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,113 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,828 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Xiaowei He 9,876 Reputation points
    2021-02-25T07:25:03.467+00:00

    Hi,

    It's recommended to send feedback to Microsoft with the Feedback Hub app:

    https://support.microsoft.com/en-us/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332

    Thanks for your time!
    Best Regards,
    Anne

    -----------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.