Windows 10 command “wsreset” co-exists with “mklink” generate a way of User Account Control bypass. (21st JUl 2020)

Preface: UAC bypass has following techniques – using Eventvwr and the Registry Key or using COM Handler Hijack

A new way with different technique: WSReset[.]exe open the Windows Store app and clear Windows Store Cache when Windows store cache is damaged or you encounter problems when using Windows Store. If an attacker can create a link that points this \InetCookies path (refer to attached diagram) to a target directory of attacker’s choice, the target directory will be the one deleted when wsreset runs.

Observation: UAC bypass power extend to evade access control. Security expert found this design weakness and conduct a proof of concept to shown on how to delete antivirus folder. Thus make it malfunction after reboot.
This findings awaken myself. The Microsoft UAC a security boundary provides opportunity for attacker.
From technical point of view, quite a lot of antivirus has file lock when the process running. Attacker may not make use of this method to compromise a machine.
However Directory junctions can be performed by any user and does not require administrator privileges making it perfect for exploiting by attacker. We keep our eye open, see whether vendor should address this technical matter.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.