The high severity privilege escalation vulnerability tracked as CVE-2020-16877 affected Windows Server and Windows 10.
IOActive cybersecurity researchers have disclosed a privilege escalation vulnerability in Windows systems, which can be exploited through abusing games uploaded on Microsoft store.
The vulnerability is classified as CVE-2020-16877 and rated high severity. It mainly affects Windows 10 and Windows Server.
The flaw was discovered and reported to Microsoft by IOActive’s principal security consultant, Donato Ferrante. In his blog post published this week, Ferrante explained how an attacker could exploit this flaw despite having a standard user account to escalate Win 10 systems’ privileges.
According to the researcher, the issue was identified while investigating Microsoft’s modification allowance for certain games available on Microsoft Store.
Furthermore, the researcher downloaded a game with its mods and assessed the evaluation process. They identified that an attacker could easily abuse the process by deleting or rewriting arbitrary files on the system by creating symlinks and obtain privilege escalation.
Ferrante formed symlinks between the ModifiableWindowsApps folder and a folder stored on another drive that he could access. Microsoft creates the ModifiableWindowsApps folder for storing games.
Ferrante hijacked the installation process through this technique and obtained elevated privileges through both overwriting and deleting files on the system.
However, the attacker, explained Ferrante in his blog post, must change Windows storage settings to save the new apps to the drive they want to access and install a game from MS Store.
The researcher said that it was possible to conceal some of the steps involved in the attack. Still, he did not want to investigate any further and informed Microsoft about the vulnerability.
Watch the attack’s Proof of concept (POC) in GIF files shared by the researcher:
Microsoft patched the vulnerability with its October’s Patch Tuesday. However, malicious actors can still exploit this vulnerability to obtain privilege escalation on Windows-based systems via the Microsoft Store in case the targeted system has not been updated to the latest version.