cbcvebase.
CVE-2019-0841
published 2019-04-09

CVE-2019-0841: An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of…

PriorityP187high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-05
Exploited in the wild
EPSS
41.67%
98.5th percentile
An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0730, CVE-2019-0731, CVE-2019-0796, CVE-2019-0805, CVE-2019-0836.

Affected

38 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_10_version_1703_for_32-bit_systems

Detection & IOCsextracted from sources · hover to see the quote

path%USERPROFILE%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\Settings.dat
path%WINDIR%\system32\license.rtf
path%TEMP%\etw
filenameCVE-2019-0841_x86.exe
filenameCVE-2019-0841_x64.exe
filenamediaghub_load_x86.exe
filenamediaghub_load_x64.exe
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46683.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46938.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47389.zip
commandcmd.exe /c start /min microsoft-edge:
commandtaskkill /F /IM MicrosoftEdge.exe /FI "STATUS eq RUNNING"
commandstart ms-paint:
pathMicrosoft.MicrosoftEdge_8wekyb3d8bbwe\Microsoft.MicrosoftEdge_44.17763.1.0_neutral__8wekyb3d8bbwe
pathMicrosoft.MSPaint_8wekyb3d8bbwe\Settings
filenamepolarbear.exe
filenamewindowsappslpe.exe
  • Monitor for hard link creation targeting sensitive system files (e.g., C:\Windows\win.ini, C:\Windows\system32\license.rtf) from low-privileged user contexts, particularly within AppX package Settings directories.
  • Alert on unexpected DACL/security descriptor modifications to SYSTEM-owned files initiated by the AppXSvc (AppX Deployment Service) process.
  • Detect deletion of settings.dat (and settings.dat.LOG1/LOG2) files under AppX package Settings folders followed immediately by hard link creation in the same directory.
  • Flag process execution of MicrosoftEdge.exe being forcibly terminated (taskkill) by a non-administrative user, followed by AppXSvc activity on the Edge Settings directory.
  • Monitor for creation of directories matching the pattern Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Microsoft.MicrosoftEdge_*_neutral__8wekyb3d8bbwe under %LOCALAPPDATA% by low-privileged users, as this is a precursor step in the bypass exploit.
  • Detect the Diagnostics Hub Standard Collector Service (DiagHub) loading a DLL from a user-writable temp path, which is the post-exploitation privilege escalation technique chained with CVE-2019-0841.
  • Check Windows 10 build number via win32k.sys file version; builds below 17763 are confirmed vulnerable to CVE-2019-0841.
  • Monitor for the IShdocvwBroker ShowOpenFile() method being invoked from a specially crafted HTML file in IE11, which can be used to break out of the IE11 sandbox when chained with an RCE.
  • ·The Edge version string embedded in the exploit directory path must match the currently installed Edge version on the target; the exploit will fail if the version component (e.g., 44.17763.1.0) does not match.
  • ·The bearlpe PoC (zero-day bypass) was confirmed to work on fully patched Windows 10 32-bit and 64-bit and Windows Server 2016/2019, but could NOT be reproduced on Windows 7 or Windows 8.
  • ·The CVE-2019-0841-BYPASS targets Microsoft Edge and was originally discovered by another researcher; the bypass was still exploitable even after the original CVE-2019-0841 patch was applied.
  • ·The Metasploit module targets Windows 10 builds strictly prior to build 17763; build 17763 and above are flagged as 'Detected' (potentially patched) rather than 'Appears' (vulnerable).

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.