MSIX: Container escape

%3CLINGO-SUB%20id%3D%22lingo-sub-233671%22%20slang%3D%22en-US%22%3EMSIX%3A%20Container%20escape%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-233671%22%20slang%3D%22en-US%22%3E%3CP%3EPackaged%20up%20Notepad%2B%2B%20using%20the%20MSIX%20Packaging%20Tool.%20%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20tool%20fails%20to%20detect%20that%20the%20main%20program%20can%20elevate%20itself.%26nbsp%3B%20I%20am%20guessing%20it%20isn't%20manifested%20and%20is%20code%20based%20elevation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsing%20the%20packaged%20version%20running%20in%20a%20container%2C%20open%20up%20a%20text%20file%20from%20c%3A%5CWindows%2C%20make%20a%20change%20and%20try%20to%20save%20the%20file.%26nbsp%3B%20Notepad%2B%2B%20will%20detect%20that%20you%20can't%20write%20to%20that%20location%20and%20via%20popup%20offer%20to%20elevate%20so%20that%20you%20can.%26nbsp%3B%20This%20elevation%20creates%20a%20new%20Notepad%2B%2B%20that%20is%20elevated%20and%20running%20outside%20of%20the%20container.%3C%2FP%3E%3C%2FLINGO-BODY%3E
MVP

Packaged up Notepad++ using the MSIX Packaging Tool.  

The tool fails to detect that the main program can elevate itself.  I am guessing it isn't manifested and is code based elevation.

 

Using the packaged version running in a container, open up a text file from c:\Windows, make a change and try to save the file.  Notepad++ will detect that you can't write to that location and via popup offer to elevate so that you can.  This elevation creates a new Notepad++ that is elevated and running outside of the container.

0 Replies