0patch beats Microsoft to fix serious local privilege escalation vulnerability in Windows
Once again, micro-patching firm 0patch has beaten Microsoft to the punch, releasing an unofficial patch for a zero-day vulnerability in Windows.
This time around we're talking about CVE-2021-24084, a local privilege escalation (LPE) zero-day vulnerability in Windows' Mobile Device Management service. The flaw affects Windows 10 version 1809 and later, and Microsoft is yet to release an official patch of its own. Not wanting to leave systems at risk of attack, 0patch stepped in to help out users by offering up a free fix.
See also:
- Microsoft fixes problems that took GitHub offline
- KB5007205 update for Windows is breaking Microsoft Defender for Endpoint
- CronRAT is a new Linux malware set to strike on February 31st
The vulnerability was revealed by Abdelhamid Naceri who found that it was possible for a non-administrator to access data they were not entitled to do so by exploiting an "unpatched information disclosure" vulnerability in Windows.
In a blog post, Naceri explains the timeline of events: "This bug was initially recognized in October 2020, and has been report to Zero Day Initiative Program.The bug has been reported to Microsoft 2020/10/27 by Zero Day Initiative, the bug was acknowledged and a security advisory has been released as CVE-2021-24084".
The post continues:
In patch Tuesday I tried to see the changes introduced the original code and I was shocked, nothing has changed even if I installed the update that said it was fixing the bug.
I reached out with ZDI and they confirmed they were able to reproduce the indicated behavior without any minimal changes to the original PoC. After few days, I received an update from ZDI and said that Microsoft will release a final patch in April 2021 update.
April arrived and the bug is still unpatched, I reached out with ZDI. And after a long calm, ZDI reached me out with an update and said that they had a meeting with the Principal Program Manager of MSRC, and said that the issue is clearly acknowledged and is under active investigation and is not being left as a joke. And said that a final patch will be released in July (maybe in 2022 lmao).
While Naceri's blog post makes for very interesting reading, the fact that Microsoft has not addressed the issue is concerning.
0patch says that it was not initially interested in the vulnerability, but later changed its mind: "While we had noticed Abdelhamid's June disclosure, it didn't seem to be a critical enough issue for micropatching, as we generally don't patch information disclosure bugs. In November, however, Abdelhamid pointed out that this -- still unpatched -- bug may not be just an information disclosure issue, but a local privilege escalation vulnerability".
The company goes on to summarize the vulnerability:
The vulnerable functionality resides under the "Access work or school" settings and can be triggered by clicking on "Export your management log files" and confirming by pressing "Export". At that point, the Device Management Enrollment Service is triggered, running as Local System. This service first copies some log files to the C:\ProgramData\Microsoft\MDMDiagnostics folder, and then packages them into a CAB file whereby they're temporarily copied to C:\Windows\Temp folder. The resulting CAB file is then stored in the C:\Users\Public\Public Documents\MDMDiagnostics folder, where the user can freely access it.
It is the copying to C:\Windows\Temp folder that is vulnerable. Namely, a local attacker can create a soft link (junction) there with a predictable file name that will be used in the above-described process, pointing to some file or folder they want to have copied to the CAB file. Since the Device Management Enrollment Service runs as Local System, it can read any system file that the attacker can't.
Abdelhamid's POC targets the kernel dump files in folder C:\Windows\LiveKernelReports to demonstrate the issue, while we used SAM, SECURITY and SYSTEM files from a restore point folder to achieve local privilege escalation.
The vulnerability has CVE-2021-24084 assigned, but we still consider it a "0day" as no official vendor fix is available.
While 0patch offers a subscription service for access to patches, the company has released a micropatch for this issue that will remain free for everyone until such a time as Microsoft releases a fix of its own. More details are available here.
Image credit: Andrey_Popov / Shutterstock