Freely subscribe to our NEWSLETTER

This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

An attacker can use the User Profile Service of Windows, in order
to escalate his privileges.

Impacted products: Windows 2003, Windows 2008 R0, Windows 2008 R2,
Microsoft Windows 2012, Windows 7, Windows 8, Windows RT, Windows
Vista

Severity: 2/4

Creation date: 12/01/2015

Revision date: 13/01/2015

DESCRIPTION OF THE VULNERABILITY

When a user authenticates on Windows, the User Profile Service
(ProfSvc) create directories and mounts registry hives. However,
some operations are potentially dangerous.

If an attacker can create C:\Users, he can use a junction to force
the service to create a sub-directory anywhere. [severity:1/4]

An attacker can change his %TMP% or %TEMP% with "..\", in order to
force the service to create a temporary directory anywhere.
[severity:2/4]

An attacker can use EnsurePreCreateKnownFolders, in order to
change the integrity level of a directory. [severity:1/4]

An attacker can use a junction, in order to read the UsrClass.dat
hive file of another user. [severity:2/4]

An attacker can therefore use the User Profile Service of Windows,
in order to escalate his privileges.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/Windows-privilege-escalation-via-User-Profile-Service-15946