Tencent iOA Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the Tencent iOA application for Windows, affecting versions through 210.9.28693.621001. This vulnerability allows local users to execute programs with elevated privileges by exploiting a race condition. The issue arises from the improper handling of files and directories in the Windows Temp folder, where symbolic link attacks can be used to manipulate a SYSTEM-privileged process into deleting arbitrary files, thereby escalating privileges.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of programs with elevated privileges, allowing a local user to gain higher access rights on the system.

Reproduction

To reproduce this vulnerability, a local user must create a directory under C:\Windows\Temp\TencentDownload and set an opportunistic lock (OpLock) on a subdirectory with a tilde prefix. Once the 'LegacyKB_ioa_win.exe' process attempts to delete the '~' prefixed folder, the OpLock can be released, allowing the user to intercept the deletion and replace it with a symbolic link to a privileged location. After releasing the OpLock, the original file or folder can be deleted, achieving the desired privilege escalation.