Milking the last drop of Intego - Time for Windows to get its LPE

Exploitation of an arbitrary directory deletion via symlink following in the antivirus Intego.

Exploitation of an arbitrary directory deletion via symlink following in the antivirus Intego. Introduction It was a sunny Sunday afternoon when my colleague Mathieu Farrell told me about how he discovered three vulnerabilities on the macOS version of Intego (available at 1 , 2 and 3 ). While browsing their website to get some information about this security software I did not know before, I found they also have a Windows version. Why not give it a try to kill some time? A few hours later, I had a Local Privilege Escalation. Not a bad way to spend a sunny afternoon. The vulnerability is straightforward: Intego's Optimization module deletes duplicate files as SYSTEM without properly validating whether those files are regular files or directory junctions. Combine it with the well-documented Config.msi deletion tricks, and you have got yourself a one-way ticket to SYSTEM privileges. This writeup details the discovery, exploitation and technical analysis of this vulnerability affecting Intego 3.0.0.1 . Intego version 3.0.0.1 . Technical background Intego's Optimization Module Intego includes an optimization module that scans for duplicate files and offers to delete them. This feature is usable by unprivileged users and it works as follows: User runs the optimization scan on a specific location. Intego identifies duplicate files based on their content. User selects which files to delete and clicks on the button "Cleanup". IavService.exe (running as SYSTEM) deletes the files. On paper, it seems fine. In practice, it is our path to privilege escalation. About the config.msi trick Before diving into the attack, a brief description of the Config.msi deletion primitive documented by ZDI . During the installation and rollback process of the Windows Installer service, the latter stores rollback scripts ( .rbs ) and rollback files ( .rbf ) in C:\Config.msi . These files are later processed with SYSTEM privileges. The exploitation flow looks like this: Abuse a SYSTEM operation to delete the folder C:\Config.msi via a reparse point. Attacker recreates C:\Config.msi and places .rbs and .rbf rollback scripts and files in it. An MSI Installation is triggered and forced to fail, causing a rollback action. Windows Installer (SYSTEM) will load rollback files and scripts, which will (by default) drop a DLL in C:\Program Files\Common Files\microsoft shared\ink\HID.DLL , allowing to spawn a SYSTEM command prompt by starting osk.exe and switching to secure desktop (just press CTRL+ALT+DEL ). If you want to check some of our previous work on the same class of vulnerability, you can have a look at Avira's CVE-2026-27748 and CVE-2026-27750 . Walkthrough Using our limited user limited1 , we first need to create 2 identical files with the same content, in a fresh (or empty) directory. Limited user privileges. mkdir c :\ foobar echo 123 > c :\ foobar \ deleteme1 . txt echo 123 > c :\ foobar \ deleteme2 . txt Scan for duplicates in Optimization -> Scan Specific Location and select c:\foobar . Scan Specific Location. Wait for the scan to finish, check our controlled directory and run Scan Now . Scan Now. Before Cleanup , run first FolderOrFileDeleteToSystem.exe . Run FolderOrFileDeleteToSystem.exe . Again, before Cleanup , run in another shell the following commands. First, delete every file in the c:\foobar directory. Then create a symlink to C:\config.msi to trigger the LPE. Finally, "cleanup". Delete all files and create the Symlink. Run the cleanup action. Now, enjoy. Exploit is working, IavService.exe has removed the C:\config.msi and we can now spawn a SYSTEM shell by running the virtual keyboard by pressing CTRL+ALT+DEL . DLL is successfully dropped. Procmon capture confirms the delete action as SYSTEM. Access to SYSTEM command prompt. Vulnerability analysis Analyzing IavService.exe reveals the issue in the deletion workflow: TIME-OF-CHECK : GetFileAttributesW() checks file attributes. User clicks "Cleanup" : window of opportunity. TIME-OF-USE : DeleteFileW() is called via IavFilesUtil_RemoveFile . The code never verifies that file_attributes contains FILE_ATTRIBUTE_REPARSE_POINT (0x400) or FILE_ATTRIBUTE_DIRECTORY (0x10) . Junctions and directories pass through unchecked. Below is the simplified pseudocode for the vulnerable functions. Function: IavFileDeleteEx_DeleteFileEx This function performs initial checks and coordinates deletion. It runs as SYSTEM but does not verify file types. bool IavFileDeleteEx_DeleteFileEx ( wstring * filepath_wstring_ptr , void * stack_frame_base , void * unused_param ) { // TIME-OF-CHECK file_attributes = GetFileAttributesW ( * filepath_wstring_ptr ); // The code does NOT verify: // - if (file_attributes & FILE_ATTRIBUTE_REPARSE_POINT) // 0x400 // - if (file_attributes & FILE_ATTRIBUTE_DIRECTORY) // 0x10 // This allows symlinks and directories to pass through unchecked // Only checks if file is read-only if (( file_attributes & FILE_ATTRIBUTE_READONLY ) != 0 ) { if ( ! SetFileAttributesW ( *...