Attacker Value

High

CVE-2019-0841: AppXSvc Hard Link Privilege Escalation

Attacker Value

High

(1 user assessed)

Exploitability

Low

(1 user assessed)

User Interaction

CVE-2019-0841: AppXSvc Hard Link Privilege Escalation

Disclosure Date: April 09, 2019 •

CVE-2019-0841 CVSS v3 Base Score: 7.8

Exploited in the Wild

Reported by gwillcox-r7 and 1 more...
View Source Details

Description

An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka ‘Windows Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2019-0730, CVE-2019-0731, CVE-2019-0796, CVE-2019-0805, CVE-2019-0836.

Add Assessment

space-r7 (143)

July 12, 2019 2:39pm UTC (5 years ago)•Edited 4 years ago

Ratings

Attacker Value

High

Exploitability

Low

Technical Analysis

This vulnerability allows for taking over SYSTEM-owned files. Getting an elevated shell takes more effort, either by exposing the DiagHub service, which will willingly load a file from System32 with SYSTEM privileges or by combing the target for a service that loads a dll as SYSTEM. Exploitability is variable due to those reasons, but ultimately this is a useful vulnerability. Effort to execute this exploit is rated higher due to shell access being a prerequisite.

There is even a bypass for this vulnerability’s patch: CVE-2019-1064.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.8 High

Impact Score:

5.9

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

microsoft

Products

windows 10 1703,
windows 10 1709,
windows 10 1803,
windows 10 1809,
windows server 2016 1803,
windows server 2019 -

Metasploit Modules

exploit/windows/local/appxsvc_hard_link_privesc (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/appxsvc_hard_link_privesc.rb)

Exploited in the Wild

Reported by:

gwillcox-r7 indicated sources as

Government or Industry Alert (https://www.cisa.gov/uscert/ncas/current-activity/2022/03/15/cisa-adds-15-known-exploited-vulnerability-catalog)
News Article or Blog (https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates)

Reported: March 16, 2022 5:15am UTC (2 years ago) • Edited 2 years ago

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:19am UTC (2 weeks ago)

References

Canonical

CVE-2019-0841 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0841)

Miscellaneous

https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841

Rapid7

High