CVE-2019-1322

unknown KEV

Published 2022-03-15 · Modified 2022-03-15

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

2.5

Description

A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

CISA KEV

Vendor: Microsoft
Product: Windows
Due date: 2022-04-05

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-47805 local windows verified

Metasploit · 2019-12-30

Microsoft UPnP - Local Privilege Elevation (Metasploit)

Source code queued for fetch — refresh in a moment.

EDB-47684 local windows text · 2 KB

TomahawkAPT69 · 2019-11-14

Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation

text exploit Source: Exploit-DB

## EDB Note
Download:
- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47684-1.exe
- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47684-2.zip


# COMahawk
**Privilege Escalation: Weaponizing CVE-2019-1405 and CVE-2019-1322**

## Video Demo
https://vimeo.com/373051209

## Usage

### Compile or Download from Release (https://github.com/apt69/COMahawk/releases)

1. Run COMahawk.exe
2. ???
3. Hopefully profit

or

1. COMahawk.exe "custom command to run" (ie. COMahawk.exe "net user /add test123 lol123 &")
2. ???
3. Hopefully profit

## Concerns
**MSDN mentioned that only 1803 to 1903 is vulnerable to CVE-2019-1322. If it doesn't work, maybe it was patched.**

However, it is confirmed that my 1903 does indeed have this bug so maybe it was introduced somewhere inbetween. YMMV.

Also, since you are executing from a service - you most likely cannot spawn any Window hence all command will be "GUI-less". Maybe different session? Idk, it is too late and I am tired haha.

## Credits:
https://twitter.com/leoloobeek for helping me even when he doesn't even have a laptop

https://twitter.com/TomahawkApt69 for being the mental support and motivation

and most of all:

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/

for discovering and publishing the write up. 100% of the credit goes here.

Metasploit modules

exploit_windows/local/comahawk rank 600

Microsoft UPnP Local Privilege Elevation Vulnerability

Source fetch failed: fetch_error — view the original via the link above.

References

https://nvd.nist.gov/vuln/detail/CVE-2019-1322

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.