An unpatched Windows security vulnerability could allow information disclosure and local privilege escalation (LPE), researchers have warned. The issue (CVE-2021-24084) has yet to get an official fix, making it a zero-day bug – but a micropatch has been rolled out as a stop-gap measure.
Security researcher Abdelhamid Naceri originally reported the vulnerability as an information-disclosure issue in October 2020, via Trend Micro’s Zero-Day Initiative (ZDI). Though Microsoft had told him it was planning a fix for last April, the patch has not yet been forthcoming.
Then, this month, Naceri discovered that CVE-2021-24084 could also be exploited for LPE, so that non-admin Windows users can read arbitrary files even if they do not have permissions to do so. In a proof-of-concept exploit, he demonstrated that it’s possible to copy files from a chosen location into a Cabinet (.CAB) archive that the user can then open and read.
I mean this is still unpatched and allow LPE if shadow volume copies are enabled;
But I noticed that it doesn't work on windows 11 https://t.co/HJcZ6ew8PO
— Abdelhamid Naceri (@KLINIX5) November 15, 2021
The process for doing so is very similar to the LPE exploitation approach for the HiveNightmare bug, CVE-2021-36934, which affects the Security Accounts Manager (SAM) database in all versions of Windows 10. The SAM component in Windows houses user account credentials and network domain information – a juicy target for attackers.
“As HiveNightmare/SeriousSAM has taught us, an arbitrary file disclosure can be upgraded to local privilege escalation if you know which files to take and what to do with them,” Mitja Kolsek, head of the 0patch team, noted in a recent posting. “We confirmed this [for the zero-day and were] able to run code as local administrator.”
It's still hilarious that this bug is still unpatched and fully functional on a windows 10 21H1 with october patch. https://t.co/HO4Kwbql9z
— Abdelhamid Naceri (@KLINIX5) November 2, 2021
Windows 10 Bug Exploitation Details
Specifically, the vulnerable functionality exists under the “access work or school” settings, according to the opatch writeup. A normal user can make use of the “export your management log files” function, which triggers the Device Management Enrollment Service.
“This service first copies some log files to the C:\ProgramData\Microsoft\MDMDiagnostics folder, and then packages them into a .CAB file whereby they’re temporarily copied to C:\Windows\Temp folder,” explained Kolsek. “The resulting .CAB file is then stored in the C:\Users\Public\Public Documents\MDMDiagnostics folder, where the user can freely access it.”
However, when the .CAB file is copied into the Windows Temp folder, a local attacker can pounce. The adversary would simply create a file shortcut link with a predictable file name that would normally be used in the normal export process, pointing to a target folder or file that the attacker would like to access.
“Since the Device Management Enrollment Service runs as Local System, it can read any system file that the attacker can’t,” Kolsek said.
There are two pre-requisites for achieving LPE, Kolsek noted.
“System protection must be enabled on drive C, and at least one restore point created. Whether system protection is enabled or disabled by default depends on various parameters,” he said. And, “at least one local administrator account must be enabled on the computer, or at least one ‘administrators’ group member’s credentials cached.”
To address the issue, the free micropatch simply checks for the presence of short-cut links during the .CAB file creation.
“The function we patched is CollectFileEntry inside mdmdiagnostics.dll. This is the function that copies files from C:\Windows\Temp folder into the .CAB file, and can be tricked into reading some other files instead,” Kolsek explained. “Our patch is placed immediately before the call to CopyFileW that opens the source file for copying, and uses the GetFinalPathNameByHandleW function to determine whether any junctions or other types of links are used in the path. If they are, our patch makes it look as it the CopyFileW call has failed, thereby silently bypassing the copying of any file that doesn’t actually reside in C:\Windows\Temp.”
Vulnerable versions of Windows include:
- Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v20H2 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v2004 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v1909 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v1903 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v1809 (32 & 64 bit) updated with May 2021 Updates
Windows Servers are not affected, and neither are Windows 11, Windows 10 v1803 and older Windows 10 versions.
Microsoft did not immediately return a request for comment on the timeline for an official patch.
There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.
Register NOW for the LIVE event!