Hi,
In case you believe this is a valid vulnerability , please prepare the proof of concept and report it to the MSRC. Have a look at:
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
With Windows 10, junction directory can be created easily from 'non-admin' account inside c:\Windows\System32.
Such actions would result in creation of junction directories UNKNOWINGLY(to Administrator) to random folders!!!
Creating the soft-link to 'c:\Windows\System32' requires admin privileges:
C:\Users\hacker>mklink c:\ProgramData\Hacker_test\test.txt c:\Windows\System32\sample.txt
Access is denied.
But creating Junction directory does not require any admin privileges, which is the SECURITY VULNERABILITY.
C:\Users\hacker>mklink /J c:\ProgramData\Hacker_test c:\Windows\System32
Junction created for c:\ProgramData\Hacker_test <<===>> c:\Windows\System32
So the higher privileged Windows Services running with NT AUTHORITY\SYSTEM privileges writing/reading logs/data/configuration can be redirected to any WINDOWS LOCATION(even to c:\Windows\System32) by 'non-admin' user(Using mkling /J).
Does Windows has released any security patch for it?
If not, How can Windows Service restrict creation of Junction directories(by 'non-admin' user) for the files(logs/data/configuration) to which it is writing/reading?
Any help, would be greatly appreciated.
Thanks,
Vinay
Hi,
In case you believe this is a valid vulnerability , please prepare the proof of concept and report it to the MSRC. Have a look at:
Hi,
It's recommended to send feedback to Microsoft with the Feedback Hub app:
Thanks for your time!
Best Regards,
Anne
-----------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.