Preface: Software application could allow an authenticated, local attacker to perform a DLL hijacking attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.

Vulnerability details: If workstation install Python, by default it will install on the C Driver :\directory instead of the C Drive:\Program Files. Therefore the authenticated users will have write access in that directory. If user compromised by phishing attack. This give a way to conducting the privilege escalation because the attacker can share the authenticated user permission write a malicious DLL in Python program directory. When the computer reboot in next time the process will restart with the permission of that process. The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. Or, it is a programming technique misused? Whether, it is a unknown matter?

Scenario of attack:

• An attacker could plant a DLL with the same name earlier in the import resolution search path, such as the application directory. Protected directories are more difficult – but not impossible – for an attacker to change.
• If the DLL is missing from the application, %windows%\system32, and %windows% directories, import resolution falls through to the current directory. An attacker could plant a DLL there.

Microsoft’s remedy: If you specify the link option /DEPENDENTLOADFLAG:0x800 (the value of the flag LOAD_LIBRARY_SEARCH_SYSTEM32), then the module search path is limited to the %windows%\system32 directory. It offers some protection from planting attacks on the other directories.

Preface: SharePoint will simply not use Framework versions for which they do not apply. For example, SharePoint 2010 uses .NET 2.0. If you install .NET 4, it will remain unused by SharePoint 2010. SharePoint 2019 uses .NET 4.7 and any lower version will simply not be used.

Background: Using Microsoft sharepoint as CRM, or external protal are popular setup past few years. SharePoint is a web-based platform built atop an ASP.NET framework. It is favored by many companies because the interface can be fully integrated with Microsoft Office.
Remark: SharePoint Server includes a set of web parts that users can add to pages after installing the product. If an organization needs custom web parts, a developer can write custom ASP.NET web parts and install them.

Design weakness: For .NET platform applications. By default, the executable string “Response.Write” after connection establish. Because the code-behind modules are compiled first, all of the output that is generated by Response.Write, Response.WriteFile, or inline server-side <SCRIPT> tags appears before any HTML tags when the HTML output is sent to the browser. Coincidentally, the chopper’s technique have way to conduct the attack to .NET Framework ASP.NET app.

Current status: The cyber criminals will be targeted insecure default configurations in common web servers. General speaking, they used their initial unauthorized access to place malicious web shell programs and credential-stealing software on victim networks, which allowed them to remotely execute commands on victim computers and related entities.

Preface: UAC bypass has following techniques – using Eventvwr and the Registry Key or using COM Handler Hijack

A new way with different technique: WSReset[.]exe open the Windows Store app and clear Windows Store Cache when Windows store cache is damaged or you encounter problems when using Windows Store. If an attacker can create a link that points this \InetCookies path (refer to attached diagram) to a target directory of attacker’s choice, the target directory will be the one deleted when wsreset runs.

Observation: UAC bypass power extend to evade access control. Security expert found this design weakness and conduct a proof of concept to shown on how to delete antivirus folder. Thus make it malfunction after reboot.
This findings awaken myself. The Microsoft UAC a security boundary provides opportunity for attacker.
From technical point of view, quite a lot of antivirus has file lock when the process running. Attacker may not make use of this method to compromise a machine.
However Directory junctions can be performed by any user and does not require administrator privileges making it perfect for exploiting by attacker. We keep our eye open, see whether vendor should address this technical matter.