> An unprivileged (local) user who is able to place UXTheme.dll or
any of the other DLLs loaded by the vulnerable executable in
%SystemRoot%\Temp\ gains escalation of privilege to the SYSTEM
account.
On my machine at least an unprivileged user does not have access to %SystemRoot%\Temp\ so it seems to be a case of what Raymond Chen refers to as "on the other side of the airtight hatchway".
I need to test this later as I only have access to an unprivileged account at the moment, but based on comments online (https://stackoverflow.com/a/11917816), C:\Windows\Temp (%systemroot%\Temp redirects here, and is the folder Skype accesses from, is write only for unprivileged users (FILE_ADD_FILE).
Preliminary testing shows that I was able to write there with out any problem. No way for me to read it at the moment though...
You're right. It is possible to write a file but not to list or access any other files. So it is a security bug. You could "fix" it yourself though, by using a privileged account and copy any DLLs loaded by the Skype updater into the directory.. An unprivileged user would not be able to overwrite the files.
Not sure, but based on the image in the stackoverflow link, it states that it has FILE_ADD_FILE, which translates in the GUI to “Create files / write data,” which I would assume means that overwrites are possible. Don’t trust my word on that though as I am no expert. Will try that a bit later and see what happens.
You still can't overwrite files created by privileged users unless explicitly allowed to do so by the creator of the file. If you could, a lot more things would be broken in Windows.
I believe the default permissions for a volume grant users the ability to create folders, so they should be able to create a folder in C: called Temp and put files into it.
It’s also possible that when Skype’s updater creates the folder it has different ACLs.
> I believe the default permissions for a volume grant users the ability to create folders, so they should be able to create a folder in C: called Temp and put files into it.
That's inaccurate. UAC makes it appear like you can, if you try to do this as an unprivileged user on a default install it will fail.
Plus even if you could create C:\Temp, you'd need to add it to the system-scoped environmental variable PATH for it to be searched for libraries. If you could do that you've already effectively escalated without this.
This Skype issue exists because they're running a SYSTEM level process from a directory a normal user owns.
I too cannot access C:\Windows\Temp at all without escalating permissions. Neither can I write to anything in C:\Windows as described in the original source without escalated permissions.
I'm a little puzzled about what would stop someone with the same permissions from doing exactly the same thing with the fully qualified name.
I need to test this later as I only have access to an unprivileged account at the moment, but based on comments online (https://stackoverflow.com/a/11917816), C:\Windows\Temp (%systemroot%\Temp redirects here, and is the folder Skype accesses from, is write only for unprivileged users (FILE_ADD_FILE).
Preliminary testing shows that I was able to write there with out any problem. No way for me to read it at the moment though...
> An unprivileged (local) user who is able to place UXTheme.dll or any of the other DLLs loaded by the vulnerable executable in %SystemRoot%\Temp\ gains escalation of privilege to the SYSTEM account.
On my machine at least an unprivileged user does not have access to %SystemRoot%\Temp\ so it seems to be a case of what Raymond Chen refers to as "on the other side of the airtight hatchway".