Demonstration of how to perform Windows UAC Privilege Escalation (CVE-2019-1388). This vulnerability allows a user to escalate from a low privilege level (non-admin) to SYSTEM.
We’re going to use the exe that was used in the a PoC for this CVE. The exe can be downloaded here.
Run the program as a Admin and we should see a prompt similar to this:
Show details or
Show more details, and click the link that says
Show information about this publisher's certificate
A new window will appear showing the certificate info.
Issued By field, click the link:
- NOTE it will appear as if nothing happened. This is normal. A browser has actually been opened that we can’t see.
Close the window showing the certificate info, and the UAC prompt.
We can now see the browser that was opened:
- It doesn’t matter if the site doesn’t load. Internet is NOT required for this to work.
Our goal now is to open a file browser/saver window. There is a few ways we can do this.
One way is to click
Page -> Save As....
Another way is to click
Print -> Find Printer.
There’s other ways to do this, choose whatever works.
Once we have this new window open, we need to type
cmd in the location bar and click enter:
A command prompt will now open that should be running as SYSTEM: