0Patch has released a micropatch to address a vulnerability in Windows that could allow local privilege escalation to obtain system privileges.
The micropatch addresses a vulnerability that was only partially patched by Microsoft in August. The flaw, tracked as CVE-2021-34484, is an arbitrary directory deletion issue. The flaw was only rated low severity as in order to exploit it, an attacker would already need to be logged into a targeted computer. Also, even with low-level permissions, an attacker would be able to delete folders.
Security researcher Abdelhamid Naceri identified the vulnerability and determined the potential impact of exploiting the flaw was more severe than reported by Microsoft, as a regular user could elevate privileges to system level. He also discovered it was possible to bypass the Microsoft patch and developed a proof-of-concept exploit for the flaw.
“The vulnerability lies in the User Profile Service, specifically in the code responsible for creating a temporary user profile folder in case the user’s original profile folder is damaged or locked for some reason,” explained Mitja Kolsek of 0Patch. “Abdelhamid found that the process (executed as Local System) of copying folders and files from user’s original profile folder to the temporary one can be attacked with symbolic links to create attacker-writable folders in a system location from which a subsequently launched system process would load and execute attacker’s DLL.”
While it is simple to exploit the flaw, it would require an attacker to win a race condition, as the system would be attempting to perform a malicious and legitimate operation at the same time; however, if that failed, an attacker would be able to have unlimited attempts.
The Microsoft patch only partially corrected the issue, as Kolsek explained. “[Microsoft’s Fix] checked whether the destination folder under C:\Users\TEMP was a symbolic link, and aborted the operation if so. The incompleteness of this fix, as noticed by Abdelhamid, was in the fact that the symbolic link need not be in the upper-most folder (which Microsoft’s fix checked), but in any folder along the destination path.”
0Patch corrected the flaw by extending the security check for symbolic links to the entire destination path, by calling the “GetFinalPathNameByHandle” function.
The vulnerability can be exploited on Windows 10versions v21H1, v20H2, v2004 and v1909 and Windows Server 2019 64 bit. 0Patch has released the micropatch for all affected versions, which can be found on this link.