So, I wanted to mess with Windows and limited users. This time instead of trying to abuse Chrome elevation (On the old computers I was using, chrome ran at an elevated level so you could drag and drop files into it, wait for it to “download” then run them. The system would then treat the file like it was being run by an administrator), I wanted to play with the actual windows operating system, and look for exploits there. I messed around a little bit and then eventually ended up on the login page. Remembering the old Utilman.exe exploit, (renaming the cmd to Utilman.exe allowed you launch cmd as the Ease of Access tool which got you a Super User cmd.) I found the Spotlight tips. I noticed that by clicking on certain tips, I could launch Edge.
So I started poking around. The first thing I found was where the Pictures for the login page were stored.
Yep our login background image was there.
But I am looking for the Tips that appear on this image. So I started combing through the rest of the Windows.ContentDeliveryManager. After clicking through I found that the TargetedContentCache contained a bunch of random folder names. Most of these folders contained Packages for the Microsoft store but one folder had an interesting file.
The file itself doesn’t matter and the name changes all the time. But inside it is some interesting data. After Beautifying the JSON with https://codebeautify.org/jsonviewer I found the file contained the lock-screen image location.
More interesting, this file contained the tips API. And it appears that the links that are supposed to be opened are hard coded.
Ok, so lets edit it. Most URI handles work (ex. http, ms-windows-store) and I am able to launch programs once a user logs in, provided they click one of the Tips.
So chained with another bug that exploits the windows Uri, A hacker could potentially set up another, not privileged user account, edit the Cache so that his prompt displays, set the prompt size to max out the screen, and just wait for the user to click his Tip. Then he could launch whatever program he wanted. This has a pretty limited use case, and it is not really a bug, but it is interesting that the Login Page assets are editable by any non-privileged user.