cbcvebase.
CVE-2019-1253
published 2019-09-11

CVE-2019-1253: An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.To exploit this vulnerability, an attacker…

PriorityP185high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-05
Exploited in the wild
EPSS
11.62%
95.5th percentile
An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1215, CVE-2019-1278, CVE-2019-1303.

Affected

44 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

pathC:\Windows\win.ini
other584964c1-f983-498d-8370-23e27fdd0399
yara
rule HKTL_NET_GUID_CVE_2019_1253 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/padovah4ck/CVE-2019-1253"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "584964c1-f983-498d-8370-23e27fdd0399" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
  • Monitor AppXSvc (AppX Deployment Server) for unexpected security descriptor modifications on files outside of normal AppX package paths, particularly targeting arbitrary files via hard links from settings.dat.LOG2.
  • Detect creation of hard links from settings.dat.LOG2 (Microsoft Edge profile path) to sensitive system files such as C:\Windows\win.ini as an exploitation indicator.
  • Alert on DACL/security descriptor overwrites by AppXSvc on files not associated with AppX packages, especially granting GENERIC_ALL to low-privileged users.
  • Scan PE binaries for the TypeLib GUID 584964c1-f983-498d-8370-23e27fdd0399 to identify compiled C# exploit tools targeting CVE-2019-1253.
  • ·The vulnerability requires the attacker to already have code execution on the victim system before exploitation can proceed.
  • ·MSRC describes the root cause as improper handling of junctions, while the public exploit demonstrates exploitation via file hard links against settings.dat.LOG2 — both primitives may be relevant for detection coverage.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
vendor_redhat4.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.