Win8 Remote Desktop Vulnerability: Elevation of Privilege using QQ PinYin Input Method for pure Edition

Preface

When I found this vulnerability, I was attending classes in the IDC. When I tried to use Remote Desktop 3389 to control the dormitory computer, I scanned the computer with port 3389 enabled in the IP segment because the redo system forgot its IP address.

I did not expect to scan a Win8 system at will, and the system also installed the pure version of QQ Input Method Windows 8.

At that time, I remembered the vulnerability in junior high school and tested it. I did not expect that seven or eight years later, the extremely secure WIN8 system has such a large vulnerability. Here we will repeat the process of Elevation of Privilege.

Process

First, confirm that the QQ Pinyin input method is installed.

Ctrl + space to call up the tray, find this option

Enable IE

The security of IE10 and Win8 is indeed improved a lot. Enter D: \ file: // d: in the address bar to open the folder. I thought that I only needed to upload a bat batch, write the command for permission escalation, and then use IE to download and run the command. I did not expect any prompts from the system asking to verify your user password, download is not available at all. It can be seen that the conventional method does not work. Microsoft is still fixing these vulnerabilities. However, after many attempts, the author finally found that one vulnerability has not been filled.

That is, the "-save as" option in the File menu. Save the webpage file as a folder to open the folder dialog box.

At this time, I feel that it is almost close to victory. However, after more than half a lesson, I have never been able to make a substantial breakthrough.

Folder tab has been limited to several mnt, txt and other formats

I can even use Notepad and other programs to open the Elevation of Privilege command editing, but the key is always restricted by Microsoft. It cannot be displayed or opened normally, whether it is saved as bat or opened by other programs. Even if the file is saved as bat, the generated file cannot be viewed even if the currently limited mnt, txt, and other files are available.

After a lot of attempts, even enabling folder sharing cannot take effect. It can be seen that WIN8 has greatly improved security.

At this time, I think of the days and nights that I struggled in junior high school and thought of a solution. That's right, it's just a shortcut vulnerability.

When the key Elevation of Privilege program net.exe is included, you can create a shortcut directly.

Directly assign parameters to run the shortcut. Create a shortcut and change the target to the net file in the system directory with a space attached to the parameter.

Create user Helper

Add users to the Management Group to obtain the highest Permissions

Well, the exciting time is up.

OK. The login is successful. It takes a course time. Www.2cto.com

Only QQ Pinyin input method has been tested this time. If other input methods can call up IE directly, the same method can also be used to directly escalate permissions. I hope Microsoft can fix this vulnerability as soon as possible.