Tencent PC Manager Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in Tencent PC Manager versions through 17.10.28554.205 on Windows. This vulnerability allows a local user to execute programs with elevated privileges by exploiting a race condition. The issue arises from the application's insecure handling of files in the Windows Temp directory. During its scanning process, the application moves files to a temporary directory and subsequently deletes them. An unprivileged user can create symbolic links to coerce a SYSTEM-privileged process into deleting arbitrary files, leading to unauthorized privilege escalation.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling a local user to execute programs with elevated rights.

Reproduction

To reproduce this vulnerability, a local user must create a folder in 'C:\Windows\Temp' and set an oplock on it. Once the 'QQPCRTP.exe' process, which runs with SYSTEM privileges, attempts to delete a subdirectory in the temporary scan directory, the user can intercept this operation by releasing the oplock, creating a junction to a privileged location, and then allowing the process to complete, resulting in the deletion of targeted files or folders.