Description
The Boxstarter installer configures C:\ProgramData\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users.
Exploit
Place a DLL in this directory that a privileged service is looking for. For example, WptsExtensions.dll
When Windows starts, it'll execute the code in DllMain() with SYSTEM privileges.
Impact
An unprivileged user can execute code with SYSTEM privileges.
(privilege escalation)
Description
The Boxstarter installer configures C:\ProgramData\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users.
Exploit
Place a DLL in this directory that a privileged service is looking for. For example, WptsExtensions.dll
When Windows starts, it'll execute the code in DllMain() with SYSTEM privileges.
Impact
An unprivileged user can execute code with SYSTEM privileges.
(privilege escalation)