Bypassing NTFS permissions to read any files as unprivileged user.# CVE-2020-16938
`CVE-2020-16938` is a vulnerability that allows you to get unrestricted file read capabilities on the entire disk as unprivileged user. The bug was originally found and reported by my friend [Jonas](https://twitter.com/jonasLyk/status/1316104870987010048). His PoC can be found [here](https://twitter.com/jonasLyk/status/1316104870987010048).
My version of the exploit consists of a bunch of Windows API calls to get the handle directly without using 7zip, the PoC can be found in the `poc` folder which mirrors the [tweet](https://twitter.com/layle_ctf/status/1316108167609188354) I created a while ago.
In short, this exploit allows you to dump the entire disk. The dump in itself can be opened using 7zip or any other parser that supports NTFS.
[4.0K] /data/pocs/2fc1cdc9e70d1b47cf759c9000d27ae06cfacb64
├── [4.0K] image
│ └── [126K] poc.png
├── [4.0K] ntfs_bypass
│ ├── [4.0K] ntfs_bypass
│ │ ├── [1.7K] ntfs_bypass.cpp
│ │ ├── [7.3K] ntfs_bypass.vcxproj
│ │ ├── [1.0K] ntfs_bypass.vcxproj.filters
│ │ ├── [ 165] ntfs_bypass.vcxproj.user
│ │ └── [ 26K] wrapper.hpp
│ └── [1.4K] ntfs_bypass.sln
├── [4.0K] poc
│ ├── [ 33K] exploit.exe
│ ├── [ 33K] exploit_fixed.exe
│ └── [ 337] poc.txt
└── [ 790] README.md
4 directories, 11 files