Skip to content

Commit b16c05b

Browse files
author
HackTricks News Bot
committed
Add content from: CVE-2025-1729 - Privilege Escalation Using TPQMAssistant.exe
1 parent 5b06f00 commit b16c05b

File tree

1 file changed

+42
-0
lines changed
  • src/windows-hardening/windows-local-privilege-escalation/dll-hijacking

1 file changed

+42
-0
lines changed

src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -228,8 +228,50 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser
228228
}
229229
```
230230
231+
## Case Study: CVE-2025-1729 - Privilege Escalation Using TPQMAssistant.exe
232+
233+
This case demonstrates **Phantom DLL Hijacking** in Lenovo's TrackPoint Quick Menu (`TPQMAssistant.exe`), tracked as **CVE-2025-1729**.
234+
235+
### Vulnerability Details
236+
237+
- **Component**: `TPQMAssistant.exe` located at `C:\ProgramData\Lenovo\TPQM\Assistant\`.
238+
- **Scheduled Task**: `Lenovo\TrackPointQuickMenu\Schedule\ActivationDailyScheduleTask` runs daily at 9:30 AM under the context of the logged-on user.
239+
- **Directory Permissions**: Writable by `CREATOR OWNER`, allowing local users to drop arbitrary files.
240+
- **DLL Search Behavior**: Attempts to load `hostfxr.dll` from its working directory first and logs "NAME NOT FOUND" if missing, indicating local directory search precedence.
241+
242+
### Exploit Implementation
243+
244+
An attacker can place a malicious `hostfxr.dll` stub in the same directory, exploiting the missing DLL to achieve code execution under the user's context:
245+
246+
```c
247+
#include <windows.h>
248+
249+
BOOL APIENTRY DllMain(HMODULE hModule, DWORD fdwReason, LPVOID lpReserved) {
250+
if (fdwReason == DLL_PROCESS_ATTACH) {
251+
// Payload: display a message box (proof-of-concept)
252+
MessageBoxA(NULL, "DLL Hijacked!", "TPQM", MB_OK);
253+
}
254+
return TRUE;
255+
}
256+
```
257+
258+
### Attack Flow
259+
260+
1. As a standard user, drop `hostfxr.dll` into `C:\ProgramData\Lenovo\TPQM\Assistant\`.
261+
2. Wait for the scheduled task to run at 9:30 AM under the current user's context.
262+
3. If an administrator is logged in when the task executes, the malicious DLL runs in the administrator's session at medium integrity.
263+
4. Chain standard UAC bypass techniques to elevate from medium integrity to SYSTEM privileges.
264+
265+
### Mitigation
266+
267+
Lenovo released UWP version **1.12.54.0** via the Microsoft Store, which installs TPQMAssistant under `C:\Program Files (x86)\Lenovo\TPQM\TPQMAssistant\`, removes the vulnerable scheduled task, and uninstalls the legacy Win32 components.
268+
231269
## References
232270
271+
- [CVE-2025-1729 - Privilege Escalation Using TPQMAssistant.exe](https://trustedsec.com/blog/cve-2025-1729-privilege-escalation-using-tpqmassistant-exe)
272+
- [Microsoft Store - TPQM Assistant UWP](https://apps.microsoft.com/detail/9mz08jf4t3ng)
273+
274+
233275
- [https://medium.com/@pranaybafna/tcapt-dll-hijacking-888d181ede8e](https://medium.com/@pranaybafna/tcapt-dll-hijacking-888d181ede8e)
234276
- [https://cocomelonc.github.io/pentest/2021/09/24/dll-hijacking-1.html](https://cocomelonc.github.io/pentest/2021/09/24/dll-hijacking-1.html)
235277

0 commit comments

Comments
 (0)