With Windows 10, junction directory can be created easily from 'non-admin' account inside c:\Windows\System32.
Such actions would result in creation of junction directories UNKNOWINGLY(to Administrator) to random folders!!!
Creating the soft-link to 'c:\Windows\System32' requires admin privileges:
C:\Users\hacker>mklink c:\ProgramData\Hacker_test\test.txt c:\Windows\System32\sample.txt
Access is denied.
But creating Junction directory does not require any admin privileges, which is the SECURITY VULNERABILITY.
C:\Users\hacker>mklink /J c:\ProgramData\Hacker_test c:\Windows\System32
Junction created for c:\ProgramData\Hacker_test <<===>> c:\Windows\System32
So the higher privileged Windows Services running with NT AUTHORITY\SYSTEM privileges writing/reading logs/data/configuration can be redirected to any WINDOWS LOCATION(even to c:\Windows\System32) by 'non-admin' user(Using mkling /J).
Does Windows has released any security patch for it?
If not, How can Windows Service restrict creation of Junction directories(by 'non-admin' user) for the files(logs/data/configuration) to which it is writing/reading?
Any help, would be greatly appreciated.
Thanks,
Vinay
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 92%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
