Nov 30, 2021
79 Views
0 0

Unpatched Windows Zero-Day Allows Privileged File Access

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
A temporary fix has been issued for CVE-2021-24084, which can be exploited using the LPE exploitation approach for the HiveNightmare/SeriousSAM bug.
An unpatched Windows security vulnerability could allow information disclosure and local privilege escalation (LPE), researchers have warned. The issue (CVE-2021-24084) has yet to get an official fix, making it a zero-day bug – but a micropatch has been rolled out as a stop-gap measure.
Security researcher Abdelhamid Naceri originally reported the vulnerability as an information-disclosure issue in October 2020, via Trend Micro’s Zero-Day Initiative (ZDI). Though Microsoft had told him it was planning a fix for last April, the patch has not yet been forthcoming.

Then, this month, Naceri discovered that CVE-2021-24084 could also be exploited for LPE, so that non-admin Windows users can read arbitrary files even if they do not have permissions to do so. In a proof-of-concept exploit, he demonstrated that it’s possible to copy files from a chosen location into a Cabinet (.CAB) archive that the user can then open and read.
I mean this is still unpatched and allow LPE if shadow volume copies are enabled;
But I noticed that it doesn't work on windows 11 https://t.co/HJcZ6ew8PO
— Abdelhamid Naceri (@KLINIX5) November 15, 2021

The process for doing so is very similar to the LPE exploitation approach for the HiveNightmare bug, CVE-2021-36934, which affects the Security Accounts Manager (SAM) database in all versions of Windows 10. The SAM component in Windows houses user account credentials and network domain information – a juicy target for attackers.
“As HiveNightmare/SeriousSAM has taught us, an arbitrary file disclosure can be upgraded to local privilege escalation if you know which files to take and what to do with them,” Mitja Kolsek, head of the 0patch team, noted in a recent posting. “We confirmed this [for the zero-day and were] able to run code as local administrator.”
It's still hilarious that this bug is still unpatched and fully functional on a windows 10 21H1 with october patch. https://t.co/HO4Kwbql9z
— Abdelhamid Naceri (@KLINIX5) November 2, 2021

Specifically, the vulnerable functionality exists under the “access work or school” settings, according to the opatch writeup. A normal user can make use of the “export your management log files” function, which triggers the Device Management Enrollment Service.
“This service first copies some log files to the C:ProgramDataMicrosoftMDMDiagnostics folder, and then packages them into a .CAB file whereby they’re temporarily copied to C:WindowsTemp folder,” explained Kolsek. “The resulting .CAB file is then stored in the C:UsersPublicPublic DocumentsMDMDiagnostics folder, where the user can freely access it.”
However, when the .CAB file is copied into the Windows Temp folder, a local attacker can pounce. The adversary would simply create a file shortcut link with a predictable file name that would normally be used in the normal export process, pointing to a target folder or file that the attacker would like to access.
“Since the Device Management Enrollment Service runs as Local System, it can read any system file that the attacker can’t,” Kolsek said.
There are two pre-requisites for achieving LPE, Kolsek noted.
“System protection must be enabled on drive C, and at least one restore point created. Whether system protection is enabled or disabled by default depends on various parameters,” he said. And, “at least one local administrator account must be enabled on the computer, or at least one ‘administrators’ group member’s credentials cached.”
To address the issue, the free micropatch simply checks for the presence of short-cut links during the .CAB file creation.
“The function we patched is CollectFileEntry inside mdmdiagnostics.dll. This is the function that copies files from C:WindowsTemp folder into the .CAB file, and can be tricked into reading some other files instead,” Kolsek explained. “Our patch is placed immediately before the call to CopyFileW that opens the source file for copying, and uses the GetFinalPathNameByHandleW function to determine whether any junctions or other types of links are used in the path. If they are, our patch makes it look as it the CopyFileW call has failed, thereby silently bypassing the copying of any file that doesn’t actually reside in C:WindowsTemp.”
Vulnerable versions of Windows include:
Windows Servers are not affected, and neither are Windows 11, Windows 10 v1803 and older Windows 10 versions.
Microsoft did not immediately return a request for comment on the timeline for an official patch.
There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.
Register NOW for the LIVE event!
Share this article:
Customers of several brands that resell GoDaddy Managed WordPress have also been caught up in the big breach, in which millions of emails, passwords and more were stolen.
Just weeks after a judge ruled that NSO Group did not have immunity in a suit brought by Facebook subsidiary WhatsApp, Apple is adding significant weight to the company’s woes.
Researcher discovered a “more powerful” variant of an elevation-of-privilege flaw for which Microsoft released a botched patch earlier this month.


This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
Pankaj Gupta, Senior Director at @Citrix, outlines how distributed denial of service attacks have become increasing… https://t.co/djwhuUE82e
2 weeks ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Vulnerabilities

Comments are closed.