Quite simply, once the links are scanned and reparsed, they redirect the user to the target path(s). Windows supports different types of filesystem links, that can be used to point files and directories to other target files and directories. If not implemented with caution, this could introduce some serious security vulnerabilities. Point being, now we have a high privileged component accessing files that can be written by any user. It reads the files, parses them, copies them to other directories, and sometimes even deletes them. Windows Error Reporting Task ScheduleĪfter it executes, wermgr.exe interacts with the pending report files and directories. It runs a dedicated binary code with a fixed command line argument – wermgr.exe -upload.įigure 2.It runs with System permissions, as defined in the ‘Security Options’ section of the task.This task is interesting from a security perspective because: This interaction can be triggered in several ways, one of which is by using a scheduled task called Windows Error Reporting\QueueReporting. Windows Error Reporting queue directoryĪfter a report is generated, it has to be sent to Microsoft for further analysis. To enable all processes to report their failures, the ReportQueue directory is writable for all users, as you can see below:įigure 1. The Windows Error Reporting tool is a flexible event-based feedback infrastructure designed to gather information about hardware and software problems that Windows can detect, report the information to Microsoft, and provide users with any available solutions.įor example, if Windows encounters a system crash or a failure, an error report is generated and stored under the WER report queue directory ( C:\ProgramData\Microsoft\Windows\WER\ReportQueue), where each report gets its own subdirectory and a unique Report.wer INI file with the relevant metadata. So how did this bug work exactly? Microsoft WER Under the Hood According to the Microsoft advisory, attackers exploited this bug as a zero-day in the wild until the patch was released in May 2019. Digging deeper into her submission, I discovered another zero-day vulnerability, which could be abused to elevate system privileges. In December 2018, a hacker who goes by the alias ‘Sandbo圎scaper’ publicly disclosed a zero-day vulnerability in the Windows Error Reporting (WER) component.
0 kommentar(er)
