Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2019-0986 PoC — Windows User Profile Service Elevation of Privilege Vulnerability

Source
https://github.com/padovah4ck/CVE-2019-0986
Associated Vulnerability
Title:Windows User Profile Service Elevation of Privilege Vulnerability (CVE-2019-0986)
Description:An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and delete files or folders of their choosing. The security update addresses the vulnerability by correcting how the Windows User Profile Service handles symlinks.
Description
Security Research
Readme
# Security Research for FUN

All focused on Microsoft Windows OS

## CVE-2019-0986
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0986  
This is the PoC I've sent to Microsoft when I reported the above vulnerability  

This PoC exploits "User Profile Service" (ProfSvc.dll).  

It will delete all files within an arbitrary directory despite of the permissions set on that directory  
(except files that are exclusively locked by SYSTEM processes).

Requisite for this:  
1) attacker user cannot have a current active session (he has to be logged-off the system).  
2) attacker user must have an existing HOME directory. 

This is why we are going to delete NTUSER.DAT file (in the attacker HOME directory) in order to trigger the right condition for exploitation.  
So, next step: you shoud log in with another arbitrary "user_2" and exec the exploit with user_1 (attacker) credentials.  


You'll find a precompiled exe bin\x64\Debug directory   
```
Usage :
NtDataPoc.exe USERNAME DOMAINNAME PASSWORD DIRECTORY_TO_DELETE  
  
Example :  
NtDataPoc.exe theuser win10-dev MySecretPwd c:\secureDirectory  
```

IDE VS 2015/2017 | CSproj is available. Compile platform choiche is yours: suggested is x64   
   
   
This has been tested on :  
```
OS Name:                   Microsoft Windows 10 Enterprise N  
OS Version:                10.0.17763 N/A Build 17763
```  
```
OS Name:                   Microsoft Windows 8.1 Pro
OS Version:               6.3.9600 N/D build 9600
```  

---

![Beer](https://icons.iconarchive.com/icons/flat-icons.com/flat/48/Beer-icon.png)  [Buy me a beer if you like ;-)](https://www.buymeacoffee.com/padovah4ck)
File Snapshot

 [4.0K]  /data/pocs/122c93864bdc0caeb11ac26cbefdea81f1a550f2
├── [4.0K]  NtDataPoc
│   ├── [ 569]  App.config
│   ├── [4.0K]  bin
│   │   └── [4.0K]  x64
│   │       └── [4.0K]  Debug
│   │           ├── [ 28K]  NtDataPoc.exe
│   │           ├── [ 569]  NtDataPoc.exe.config
│   │           └── [ 40K]  NtDataPoc.pdb
│   ├── [5.4K]  HardLink.cs
│   ├── [ 20K]  JunctionPoint.cs
│   ├── [9.8K]  NativeWin32.cs
│   ├── [2.8K]  NetworkConnection.cs
│   ├── [1.5K]  NotepadHelper.cs
│   ├── [4.6K]  NtDataPoc.csproj
│   ├── [ 396]  NtDataPoc.csproj.user
│   ├── [2.1K]  NtHardLink.cs
│   ├── [4.0K]  obj
│   │   ├── [4.0K]  Debug
│   │   │   ├── [2.9K]  DesignTimeResolveAssemblyReferences.cache
│   │   │   ├── [6.7K]  DesignTimeResolveAssemblyReferencesInput.cache
│   │   │   ├── [ 17K]  DnsTest.csprojAssemblyReference.cache
│   │   │   ├── [  42]  DnsTest.csproj.CoreCompileInputs.cache
│   │   │   ├── [ 922]  DnsTest.csproj.FileListAbsolute.txt
│   │   │   ├── [6.6K]  DnsTest.csprojResolveAssemblyReference.cache
│   │   │   ├── [ 20K]  DnsTest.exe
│   │   │   ├── [ 28K]  DnsTest.pdb
│   │   │   ├── [ 86K]  Interop.ADODB.dll
│   │   │   ├── [3.5K]  Interop.APEDBSet.dll
│   │   │   ├── [ 24K]  Interop.Bonjour.dll
│   │   │   ├── [ 48K]  Interop.CDO.dll
│   │   │   ├── [4.0K]  Interop.CertCOMLib.dll
│   │   │   ├── [ 15K]  Interop.OWSSUPP.dll
│   │   │   ├── [3.5K]  Interop.WEFDebug.dll
│   │   │   └── [ 72K]  Interop.WUApiLib.dll
│   │   └── [4.0K]  x64
│   │       └── [4.0K]  Debug
│   │           ├── [ 672]  DesignTimeResolveAssemblyReferences.cache
│   │           ├── [6.6K]  DesignTimeResolveAssemblyReferencesInput.cache
│   │           ├── [ 18K]  DnsTest.csprojAssemblyReference.cache
│   │           ├── [  42]  DnsTest.csproj.CoreCompileInputs.cache
│   │           ├── [ 452]  DnsTest.csproj.FileListAbsolute.txt
│   │           ├── [ 20K]  DnsTest.exe
│   │           ├── [ 32K]  DnsTest.pdb
│   │           ├── [  42]  NtDataPoc.csproj.CoreCompileInputs.cache
│   │           ├── [ 394]  NtDataPoc.csproj.FileListAbsolute.txt
│   │           ├── [ 28K]  NtDataPoc.exe
│   │           └── [ 38K]  NtDataPoc.pdb
│   ├── [ 11K]  ProcExtension.cs
│   ├── [ 14K]  Program.cs
│   └── [4.0K]  Properties
│       └── [1.4K]  AssemblyInfo.cs
└── [1.6K]  README.md

9 directories, 43 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →