


June 16th, 2020: Hotspot Shield confirmed receiving the report and replied they are evaluating a fix. June 14th, 2020: Vulnerability identified and reported to Hotspot Shield. We would like to acknowledge Hotspot Shield (Pango) for their professional approach. Hotspot Shield VPN client for Windows versions 10.3.0 and earlier. This vulnerability can be mitigated by applying accurate ACL permissions to any location where actions are performed by privileged processes, including C:\ProgramData\Hotspot Shield\logs. The Object Manager uses symbolic links in various places, such as in the GLOBAL? Namespace, where we can find for example how the C: drive is actually a symbolic link to a \Device\HarddiskVolume3:įigure 4: Exploit execution outputs an “evil.dll” file in System32 folder Mitigations Object Manager Symbolic Link - the object manager is a subsystem in Windows which manages Windows resources such as physical devices, files, or folders in volume.

If a user wants to create a Junction from C:\src to C:\dst, the user must have write access to the src directory and src must be an empty folder. Junctions are implemented through reparse points and can be created by unprivileged users. NTFS Junction - also called a soft link, is a pointer to a directory on the local volume, similar to symbolic links.Two of the abused Windows features were NTFS Junctions and Object Manager Symbolic Links: In 2015, James Forshaw exhibited new techniques to abuse Windows file system and path resolution feature, to gain the ability to read/write/create/delete arbitrary files, and also to elevate privileges. Due to permissive access rights on a log folder, set by Hotspot Shield VPN Client, a popular consumer VPN, an unprivileged user could escalate privileges to create or write arbitrary files as SYSTEM, resulting in breaking the system and its components.
