MSIX: Container escape without elevation

%3CLINGO-SUB%20id%3D%22lingo-sub-233964%22%20slang%3D%22en-US%22%3EMSIX%3A%20Container%20escape%20without%20elevation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-233964%22%20slang%3D%22en-US%22%3E%3CP%3EUse%20MSIX%20Packaging%20tool%20to%20package%20up%20ConEmu%20(%3CA%20href%3D%22https%3A%2F%2Fconemu.github.io%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fconemu.github.io%3C%2FA%3E%20).%26nbsp%3B%20This%20is%20a%20multi-tabbed%20Console%20emulator%20that%20hosts%20cmd%20and%20powershell%20sessions%20in%20separate%20tabs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20main%20process%20launches%20both%20a%20conshost%20and%20cmd%20process%2C%20both%20of%20which%20operate%20outside%20of%20the%20container.%26nbsp%3B%20It%20is%20important%20to%20note%20that%20this%20is%20done%20without%20elevation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'll%20attach%20screen%20shots%20of%20TaskManager%20showing%20the%20process%2Fjobs%2C%20and%20Process%20explorer%20detailing%20the%20parent%2Fchild%20relationship.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
MVP

Use MSIX Packaging tool to package up ConEmu (https://conemu.github.io ).  This is a multi-tabbed Console emulator that hosts cmd and powershell sessions in separate tabs.

 

The main process launches both a conshost and cmd process, both of which operate outside of the container.  It is important to note that this is done without elevation.

 

I'll attach screen shots of TaskManager showing the process/jobs, and Process explorer detailing the parent/child relationship.

 

0 Replies