Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 18-Apr-2025 05:07:58 JST Kevin Beaumont

   Can confirm running this command as a non-admin user breaks April 2025 Windows OS patch installing on Windows 10 and 11, tested on home, pro and enterprise SKUs.

   mklink /j c:\inetpub c:\windows\system32\notepad.exe

   • Embed this notice
     Polychrome :blabcat: (polychrome@poly.cybre.city)'s status on Thursday, 10-Apr-2025 23:42:28 JST Polychrome :blabcat:
     @GossiTheDog wish I knew of this before the CoPilot update.
     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     GeneralX (generalx@freeradical.zone)'s status on Friday, 11-Apr-2025 00:06:54 JST GeneralX

     @GossiTheDog IIS is still a thing?

   • Embed this notice
     A More Honest Dystopia (h2onolan@infosec.exchange)'s status on Friday, 11-Apr-2025 00:31:12 JST A More Honest Dystopia

     @GossiTheDog okay but i now have an inetpub directory on a bunch of windows systems that was not there April 7.

   • Embed this notice
     dave (hologram@cyberplace.social)'s status on Friday, 11-Apr-2025 00:37:18 JST dave

     @GossiTheDog Very good, but what appalls me is "We noticed you regularly use your device between 3:00 PM and 8:00 AM". Who is "We"? The Queen of England? Fuck those people. One of many reason why I will not use windows, and why I will not sell myself out to solve any windows-specific problems. Windows Is the problem, to the extent it is not stolen property.
     Do I forgive Dave Cutler for selling out? No I do not. I think he was top notch, the sellout to Gates = Fail

   • Embed this notice
     Fritz Adalis (fritzadalis@infosec.exchange)'s status on Friday, 11-Apr-2025 01:06:28 JST Fritz Adalis

     @GossiTheDog
     Can you do anything other than prevent installation? Maybe a hard link to system32 could break the machine if it changes the perms. Maybe a toctou bug, watch the ntfs journal until the folder is there then replace with a hard link?

   • Embed this notice
     DistroWatch (distrowatch@mastodon.social)'s status on Friday, 11-Apr-2025 01:50:47 JST DistroWatch

     @GossiTheDog Windows allows non-admin users to create any folder they want in C: \ ?
     That seems like a pretty big security issue on its own.

   • Embed this notice
     m1rk0 (m1rk0@defcon42.net)'s status on Friday, 11-Apr-2025 02:02:10 JST m1rk0

     • DistroWatch
     @GossiTheDog @distrowatch You can't, if the system is properly configured. By default i think you are right, but default is in most cases horseshit regardless of system or software.
   • Embed this notice
     Will Dormann (wdormann@infosec.exchange)'s status on Friday, 11-Apr-2025 03:35:47 JST Will Dormann

     @GossiTheDog
     Specifically, I've seen all April updates install even when C:\inetpub exists ahead of time.

     I should have known better than to attribute the correlation of C:\inetpub in a VM before updates to the causation of a failed update.

     What happens with C:\inetpub is tough to see, as it either happens before the Procmon boot driver loads, or Procmon is otherwise foiled by the updates occurring. But either way, there's a bit of a blind spot between pre-reboot C:\inetpub not being there and it being there post-reboot. A Procmon boot log sees nothing. 😕

   • Embed this notice
     Christian (chrst@lethallava.land)'s status on Friday, 11-Apr-2025 03:37:51 JST Christian

     @GossiTheDog@cyberplace.social something something Junction Points something something…

   • Embed this notice
     Will Dormann (wdormann@infosec.exchange)'s status on Friday, 11-Apr-2025 04:30:15 JST Will Dormann

     @GossiTheDog
     Ah, that'd do it!
     But at the same time, creating files in the root directory requires admin privileges.
     And if you're a trigger-happy admin, there are plenty of footguns that you can use. 🤷♂️

   • Embed this notice
     Will Dormann (wdormann@infosec.exchange)'s status on Friday, 11-Apr-2025 04:50:57 JST Will Dormann

     @GossiTheDog
     You can?
     Non-admin users don't have SeCreateSymbolicLinkPrivilege, so I don't believe you. 😀

   • Embed this notice
     qdkp (qdkp@cyberplace.social)'s status on Friday, 11-Apr-2025 04:52:54 JST qdkp

     in reply to

     • Will Dormann

     @wdormann @GossiTheDog Could you use a junction instead?

   • Embed this notice
     Will Dormann (wdormann@infosec.exchange)'s status on Friday, 11-Apr-2025 05:00:25 JST Will Dormann

     @GossiTheDog
     Just to be clear, while mklink /h can itself be used by a non-admin user, that same non-admin user would not be able to create a hard link in C:\ as that would be the same as creating a file there. Which non-admin users can't do.

   • Embed this notice
     Will Dormann (wdormann@infosec.exchange)'s status on Friday, 11-Apr-2025 05:29:26 JST Will Dormann

     @GossiTheDog
     Ah, you'd think that you couldn't.
     But indeed you can!
     That is, a non-admin user can create a "directory" junction to a file target, which will have the result of April's security updates failing to install. 😂

     It seems that this weird concept of a junction to a file achieves an unexpected double-standard:

     1. It counts as a directory when it comes to NTFS ACLs (a non-admin user can create a junction in C:\)
     2. Depending on how the junction is accessed, it might count as a file as opposed to being treated as a directory.

     This seems like a problem. Obviously in the case of April's updates here. But perhaps even more generically in that a junction to a file target seems to almost guarantee unexpected behavior.

   • Embed this notice
     Busta (busta@infosec.exchange)'s status on Friday, 11-Apr-2025 21:09:29 JST Busta

     • Will Dormann

     @GossiTheDog @wdormann They updated the FAQ for CVE-2025-21204 saying that it's intended and shouldn't be deleted as it will increase the system protection, lol.

     https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204

   • Embed this notice
     Will Dormann (wdormann@infosec.exchange)'s status on Friday, 11-Apr-2025 21:29:32 JST Will Dormann

     • Busta

     @GossiTheDog @Busta
     Hilarious.
     The two things that MSRC seems to aim to to achieve are:

     1. Avoid saying anything about what their security updates do unless their hand is forced.
     2. Take the path of "least resistance" as opposed to fixing the root cause of problems. (In this case, non-admins can create subdirectories directly off of C:\)

     https://infosec.exchange/@wdormann/114319281111054638

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 18-Apr-2025 05:09:30 JST Kevin Beaumont

     in reply to

     Bonus points, if you run it from cmd.exe, it’s not logged in EDR products or detectable as mklinks is built into cmd.exe, doesn’t spawn another process.

   • Embed this notice
     Carsten (cblte@nrw.social)'s status on Friday, 18-Apr-2025 06:26:32 JST Carsten

     in reply to

     @GossiTheDog I am curios if this works on company provisioned laptops....

   • Embed this notice
     dave (hologram@cyberplace.social)'s status on Friday, 18-Apr-2025 06:37:33 JST dave

     in reply to

     @GossiTheDog I used to care. Now, it's way past fuck Bill Gates and all Microsoft bullshit. Let it crash and burn. 🍺

   • Embed this notice
     TechNomad (technomad@cyberplace.social)'s status on Friday, 18-Apr-2025 06:42:50 JST TechNomad

     in reply to

     @GossiTheDog I completely deleted the Windows operating system 3 years ago. yes, I am a .net developer but I use jetbrains IDE. I don't care about windows ecosystem anymore.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 18-Apr-2025 06:48:54 JST Kevin Beaumont

     in reply to

     I just realised my original thread on this auto deleted after a week, but it’s a vuln in Windows that MS introduced this month. I’ve reported it to MSRC. You can use it to stop Windows updates.

   • Embed this notice
     Brian Clark (deepthoughts10@infosec.exchange)'s status on Friday, 18-Apr-2025 06:59:14 JST Brian Clark

     in reply to

     @GossiTheDog I didn’t realize this part. It won’t show up in MDE logs?