A security researcher has disclosed technical details of a Windows zero-day elevation of privilege vulnerability and a public proof of concept (PoC) exploit that grants SYSTEM privileges under certain conditions.
A public proof of concept (PoC) exploit and technical details for an unpatched Windows zero-day elevation of privilege vulnerability have been disclosed, which allows users to gain SYSTEM privileges under certain conditions.
The good news is that the exploit requires a malicious actor to know another user’s username and password to trigger the vulnerability, so it likely won’t be widely used in attacks. .
The bad news is that it affects all versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.
Researcher releases bypass to patched vulnerability
In August, Microsoft released a security update for a “Windows User Profile Service elevation of privilege vulnerability” identified as CVE-2021-34484 and discovered by security researcher Abdelhamid Naceri.
After reviewing the fix, Naceri found that the fix was not enough and he was able to bypass it with a new exploit that he posted on GitHub.
“Technically, in the previous report CVE-2021-34484. I described a bug where you can abuse the user profile service to create a second junction, ”explains Naceria in a technical writing on vulnerability and the new bypass.
“But as I see in the ZDI advisory and the Microsoft patch, the bug was measured as an arbitrary directory deletion bug.”
“Microsoft did not fix what was provided in the report but the impact of the PoC. As the PoC I wrote before was horrible, it could only reproduce a directory deletion bug.”
Naceri says that since they only fixed the symptom of his bug report and not the actual cause, he could revise his exploit to junction somewhere else while gaining elevation of privilege.
This exploit will cause an elevated command prompt with SYSTEM privileges to be launched while the User Account Control (UAC) prompt is displayed.
Will Dormann, a vulnerability analyst for CERT / CC, tested the vulnerability and found that while it worked, it was finicky and did not always create the elevated command prompt.
When TechToSee tested the vulnerability, it immediately launched an elevated command prompt as shown below.
As this bug requires a malicious actor to know another user’s username and password, it will not be abused as much as other elevation of privilege vulnerabilities we’ve seen recently, such as PrintNightmare.
“Definitely still a problem. And there may be scenarios where it can be abused. But the 2-account requirement probably puts it in the boat of NOT being something that will be widely used in the wild,” Dormann said. at TechToSee.
TechToSee has contacted Microsoft to see if they will fix this bug but has not received a response yet.
- Microsoft September 2021 Patch Tuesday fixes 2 zero-days, 60 flaws
- Microsoft October 2021 Patch Tuesday fixes 4 zero-days, 71 flaws
- Microsoft November 2021 Patch Tuesday fixes 6 zero-days, 55 flaws
- Windows New Day Zero with Public Exploit Lets You Become an Administrator
- Zoom security issues: Everything that’s gone wrong (so far)