Local arbitrary file read PoC exploit for the Windows UPnP Device Host service. Reads an arbitrary file in the context of LOCAL SERVICE. Tested against Windows 11 Pro build 26200.8457.
Reported to Microsoft. Assessed as "not a vulnerability".
- Clone the repository.
- Build the UPnPHostFileRead solution.
- Run
UPnPHostFileRead.exe SOURCE DESTINATION.
The SOURCE file will be read in the context of LOCAL SERVICE and will then be written to DESTINATION in the context of the current user.
Normal users can create an instance of the UPnPRegistrar COM object and call the RegisterRunningDevice method, which will register a device with a device description XML. This XML can reference an icon, but the reference is vulnerable to path traversal and can be pointed to any file on the system. After registering the device, the referenced file is then exposed by an HTTP service running as LOCAL SERVICE and anyone can access the endpoint and download the file.