Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-21204 PoC — Windows Process Activation Elevation of Privilege Vulnerability

Source
https://github.com/mmotti/Reset-inetpub
Associated Vulnerability
Title:Windows Process Activation Elevation of Privilege Vulnerability (CVE-2025-21204)
Description:Improper link resolution before file access ('link following') in Windows Update Stack allows an authorized attacker to elevate privileges locally.
Description
Restore the integrity of the parent 'inetpub' folder following security implications highlighted by CVE-2025-21204.
Readme
# Reset inetpub

This script restores the `%SYSTEMDRIVE%\inetpub` folder and its default security permissions, which are necessary as a mitigation for [CVE-2025-21204](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204) following the [KB5055523](https://support.microsoft.com/en-gb/topic/april-8-2025-kb5055523-os-build-26100-3775-277a9d11-6ebf-410c-99f7-8c61957461eb) Windows update.

It's intended for users who may have deleted this folder before understanding its security purpose and wish to restore it without needing to enable/disable IIS features.

## What This Script Does

1.  Creates the `%SYSTEMDRIVE%\inetpub` directory if it does not exist.
2.  Applies the default Access Control List (ACL) permissions required for the security mitigation to the `inetpub` folder itself.
3.  Sets the owner of the `inetpub` folder to `NT AUTHORITY\SYSTEM`.

## Prerequisites

*   **Administrator privileges are required** to modify system folders and permissions.

## Usage Instructions

Choose **one** of the following methods. All require an **elevated (Administrator) PowerShell** window.

### Method 1: Quick Execution (Pause on Completion)

This command downloads and runs the script immediately. The script will pause for confirmation upon completion by default.

```powershell
powershell -ExecutionPolicy Bypass -Command "irm 'https://raw.githubusercontent.com/mmotti/Reset-inetpub/refs/heads/main/Reset.ps1' | iex"
```

### Method 2: Quick Execution (No Pause)

This command downloads and runs the script immediately, using the `-NoWait` switch to prevent the script from pausing upon completion.

```powershell
powershell -ExecutionPolicy Bypass -Command "& ([ScriptBlock]::Create((irm 'https://raw.githubusercontent.com/mmotti/Reset-inetpub/refs/heads/main/Reset.ps1'))) -NoWait"
```

*   `-NoWait`: A switch parameter passed to the script to suppress the final "Press any key to continue..." prompt.

### Method 3: Manual Execution

1.  **Download the script:**
    ```powershell
    $scriptPath = Join-Path $env:TEMP "Reset-inetpub.ps1"
    Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/mmotti/Reset-inetpub/refs/heads/main/Reset.ps1' -OutFile $scriptPath
    ```
2.  **(Optional) Review the script:**
    ```powershell
    # Open in Notepad
    notepad $scriptPath
    ```
3.  **Execute the local script:**
    ```powershell
    # Standard execution (will pause at the end)
    powershell -ExecutionPolicy Bypass -File $scriptPath

    # -- OR -- #

    #Execution without the final pause
    powershell -ExecutionPolicy Bypass -File $scriptPath -NoWait
    ```
4.  **(Optional) Clean up the downloaded script:**
    ```powershell
    Remove-Item -Path $scriptPath -Force
    ```

---

## Scope and Limitations

Please be aware of the following:

*   **Parent Folder Only:** The script primarily targets the permissions and ownership of the `%SYSTEMDRIVE%\inetpub` folder itself. Default inheritance settings are applied.
*   **Existing Content Warning:** If the `inetpub` directory exists and contains files or subfolders, the script will:
    *   Warn you that the directory is not empty.
    *   Proceed to apply the default permissions to the `inetpub` folder.
    *   Apply the ownership change (`NT AUTHORITY\SYSTEM`) *only* to the `inetpub` folder itself, not recursively. This avoids potentially overriding custom permissions on existing sub-content.

## Permissions Details

The script aims to apply the following permissions, captured from a clean `inetpub` directory created by the relevant Windows update.

**`icacls` export:** See [acls.txt](acls.txt) for the raw SDDL string used by the script.

**`icacls` permission summary (example from `C:` drive):**

```plaintext
C:\inetpub NT SERVICE\TrustedInstaller:(F)
           NT SERVICE\TrustedInstaller:(OI)(CI)(IO)(F)
           NT AUTHORITY\SYSTEM:(F)
           NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
           BUILTIN\Administrators:(F)
           BUILTIN\Administrators:(OI)(CI)(IO)(F)
           BUILTIN\Users:(RX)
           BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
           CREATOR OWNER:(OI)(CI)(IO)(F)
```

*(Note: The script dynamically determines the correct drive letter.)*
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →