Published: 09/04/2019 Updated: 07/06/2019
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 736
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0730, CVE-2019-0731, CVE-2019-0796, CVE-2019-0805, CVE-2019-0836.

Vulnerability Trend

Affected Products

Vendor Product Versions
MicrosoftWindows 101703, 1709, 1803, 1809
MicrosoftWindows Server 20161709, 1803
MicrosoftWindows Server 2019-


This vulnerability allows low privileged users to hijack file that are owned by NT AUTHORITY\SYSTEM by overwriting permissions on the targeted file Successful exploitation results in "Full Control" permissions for the low privileged user 1 The exploit first checks if the targeted file exists, if it does it will check its permissions Since we ...
There is still a vuln in the code triggered by CVE-2019-0841 The bug that this guy found: krbtgtpw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/ If you create the following: (GetFavDirectory() gets the local appdata folder, fyi) CreateDirectory(GetFavDirectory() + L"\\Packages\\MicrosoftMicrosoftEdge_8wekyb3d8bbwe\\Mi ...
CVE-2019-0841 BYPASS #2 There is a second bypass for CVE-2019-0841 This can be triggered as following: Delete all files and subfolders within "c:\users\%username%\appdata\local\packages\MicrosoftMicrosoftEdge_8wekyb3d8bbwe\" (atleast the ones we can delete as user) Try to launch edge It will crash the first time When we launch it a second ...

Github Repositories

SharpPolarBear This is a weaponized version for one of the Exploits published by SandboxEscaper from here (githubcom/SandboxEscaper/polarbearrepo) Most of the code comes from rasta-mouse CollectorService repository (githubcom/rasta-mouse/CollectorService) I just changed the CVE-2019-0841-Code to a cMost of the code comes from rasta-mouse CollectorService rep

Recent Articles

SandboxEscaper Debuts ByeBear Windows Patch Bypass
Threatpost • Lindsey O'Donnell • 07 Jun 2019

Guerrilla developer SandboxEscaper has disclosed a second bypass exploit for a patch that fixes a Windows local privilege-escalation (LPE) flaw — again without notifying Microsoft.
The exploit, dubbed “ByeBear,” enables attackers to get past the patch to attack a permissions-overwrite, privilege-escalation flaw (CVE-2019-0841), which exists because Windows AppX Deployment Service (AppXSVC) improperly handles hard links. It allows a local attacker to run processes in an elevated conte...

Zero-Day No More: Windows Bug Gets a Fix
Threatpost • Tara Seals • 04 Jun 2019

The local privilege-escalation (LPE) zero-day bug in Microsoft Task Scheduler, disclosed by SandboxEscaper on Twitter in late May by way of making public a fully functioning exploit, now has a micropatch.
The interim fix, from 0patch, was issued Tuesday to address the vulnerability. The bug would allow LPE via importing legacy tasks from other systems into the Task Scheduler utility.
Mitja Kolsek, co-founder of 0patch and CEO of Arcos Security, told Threatpost that the bug (which he ...

SandboxEscaper Drops Three More Windows Exploits, IE Zero-Day
Threatpost • Lindsey O'Donnell • 23 May 2019

On the heels of releasing a Windows zero-day exploit on Wednesday, developer SandboxEscaper has dropped exploit code for four more flaws on Thursday morning.
On Wednesday, she dropped a Windows zero-day exploit that would allow local privilege-escalation (LPE), by importing legacy tasks from other systems into the Task Scheduler utility – and she promised four more unpatched bugs while she was at it.
SandboxEscaper held true to that promise, on Thursday releasing on GitHub the proo...

Microsoft Patch Tuesday – April 2019
Symantec Threat Intelligence Blog • Himanshu Mehta • 10 Apr 2019

This month the vendor has patched 74 vulnerabilities, 14 of which are rated Critical.

Posted: 10 Apr, 201927 Min ReadThreat Intelligence SubscribeFollowtwitterfacebooklinkedinMicrosoft Patch Tuesday – April 2019This month the vendor has patched 74 vulnerabilities, 14 of which are rated Critical.As always, customers are advised to follow these security best practices:

Install vendor patches as soon as they are available.
Run all software with the least privileges required while still maintaining ...