Full title: Windows Escalate UAC Protection Bypass Via SilentCleanup Exploit 
Category: remote exploits
Platform: windows
There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables, %windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin.

# 0day.today @ http://0day.today/