Windows Zero-Day Allows Privileged File Access

A Windows security vulnerability could allow information disclosure and local privilege escalation (LPE), researchers have warned. The issue (CVE-2021-24084) has yet to get an official fix, but there is a way to protect yourself. A micropatch has been rolled out as a stop-gap measure.
 
 
Security researcher Abdelhamid Naceri reported a bug in Microsoft’s Autopilot software last October. Microsoft patched it in April, but it has not yet been released. Naceri recently discovered that CVE-2021-24084 could also be exploited for local privilege escalation. He demonstrates that users can copy files from a chosen location into a Cabinet (.CAB) archive, which they can then open and read.
 
 
The process of exploiting the bug is very similar to the LPE exploitation techniques used in a vulnerability in Windows 10, CVE-2021-36934. This bug affects the Security Accounts Manager (SAM) database, which houses user account credentials and network domain information.
 

Windows 10 Bug Exploitation Details

The bug is in the “access work or school” permissions, according to the Microsoft opatch writeup. Any normal user can take advantage of the “export your management log files” feature, which triggers the Device Management Enrollment Service.

 
“This service first copies some log files to the C:\ProgramData\Microsoft\MDMDiagnostics folder, and then packages them into a .CAB file whereby they’re temporarily copied to C:\Windows\Temp folder,” explained Kolsek. “The resulting .CAB file is then stored in the C:\Users\Public\Public Documents\MDMDiagnostics folder, where the user can freely access it.”
 
An attacker can pounce on this vulnerability when an unsuspecting user copies the .CAB file into the Windows Temp folder. The attacker would need to create a file shortcut link with a predictable file name that would normally be used in the normal exporting process, pointing to a target folder or file that the attacker would like to access.
 
 
You see, the Windows operating system uses a tool called CollectFileEntry to copy files from the Temp folder into a .CAB file. It is possible to trick it into opening any file instead of those in the Temp folder by tricking it into opening our patch first. The patch is placed immediately before the call to CopyFileW that opens the source file for copying, and uses the GetFinalPathNameByHandleW function to determine which file will be opened.
 
 

Vulnerable versions of Windows include:

  • Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates
  • Windows 10 v20H2 (32 & 64 bit) updated with November 2021 Updates
  • Windows 10 v2004 (32 & 64 bit) updated with November 2021 Updates
  • Windows 10 v1909 (32 & 64 bit) updated with November 2021 Updates
  • Windows 10 v1903 (32 & 64 bit) updated with November 2021 Updates
  • Windows 10 v1809 (32 & 64 bit) updated with May 2021 Updates

Windows Servers are not affected, and neither are Windows 11, Windows 10 v1803 and older Windows 10 versions.

 

I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.


Discover more from Patrick Domingues

Subscribe to get the latest posts sent to your email.

author avatar
Patrick Domingues

Leave a Comment

Stay Informed

Receive instant notifications when new content is released.