| Título | AntiDupl 2.3.12 Link Following |
|---|
| Descripción | NAME OF VULNERABILITY: Exploit File Delete to Escalate Privilege in AntiDupl
1. Vulnerability Title
AntiDupl, AntiDupl.NET.WinForms.exe, EoP
2. High-level overview of the vulnerability and the possible effect of using it
A non-privileged user can exploit the vulnerability to delete an arbitrary file to escalate the privilege.
3. Exact product that was found to be vulnerable including complete version information
AntiDupl v2.3.12
4. Root Cause Analysis
a. There is a feature in AntiDupl that deletes duplicate images.
b. AntiDupl doesn't lock the directory and the file before removing them.
c. According to the awesome research [Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks), by modifying the target directory to a junction to `\RPC CONTROL\` and create native symlink to other files, an attacker can delete an arbitrary file. Then the attacker can elevate the privilege by leveraging Windows Installer.
5. Proof-of-Concept
a. Install AntiDupl.
b. Copy trick.png containing any data to both `C:\Windows\Temp` and `C:\Windows\Temp\test1`.
c. Put `C:\Windows\Temp` to open Paths.
d. Click “Start search” and click “Delete first pictures in selected results”. Make sure the trick.png in test1 is included.
e. Replace FolderContentsDeleteToFolderDelete.cpp and compile the PoC from [FilesystemEoPs](https://github.com/thezdi/PoC/tree/main/FilesystemEoPs) or just use the ones from AntiDupl_eop.7z
f. Run `FolderOrFileDeleteToSystem.exe` and `FolderContentsDeleteToFolderDelete.exe /target C:\Config.msi /initial C:\Windows\Temp`.
g. Click "Refresh results".
h. After running it, a cmd.exe with System privilege will pop up.
6. Software Download Link
a. https://github.com/ermig1979/AntiDupl/releases/tag/v2.3.12
7. Other
a. A demo video demo.mp4 is in the attachment.
b. The testing environment is Windows 10 1909, but the PoC should work in the latest version of win11 23H2. As for the latest win11, the attacker can still achieve arbitrary deleting file.
c. Disable Windows Defender before testing.
d. In the exploit scenario, the victim is supposed to be Administrator, and the attacker is a normal user. The demo video uses the same user for simplicity. |
|---|
| Fuente | ⚠️ https://drive.google.com/file/d/19jwaqUji6O3U6EAeUMixBM58QTc4qNMQ/view?usp=sharing |
|---|
| Usuario | Zeze7w (UID 40823) |
|---|
| Sumisión | 2025-10-14 05:28 (hace 8 meses) |
|---|
| Moderación | 2025-10-27 13:48 (13 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 330127 [ermig1979 AntiDupl hasta 2.3.12 Delete Duplicate Image AntiDupl.NET.WinForms.exe escalada de privilegios] |
|---|
| Puntos | 20 |
|---|