{"id":21910,"date":"2021-10-29T17:33:33","date_gmt":"2021-10-29T15:33:33","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=21910"},"modified":"2022-11-03T10:39:55","modified_gmt":"2022-11-03T09:39:55","slug":"local-privilege-escalation-schwachstelle-0-day-in-allen-windows-versionen","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2021\/10\/29\/local-privilege-escalation-schwachstelle-0-day-in-allen-windows-versionen\/","title":{"rendered":"Local Privilege Escalation Vulnerability (0-day) in all Windows Versions"},"content":{"rendered":"<p><img decoding=\"async\" title=\"Windows\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" alt=\"Windows\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Windows-klein.jpg\" width=\"200\" align=\"left\">[<a href=\"https:\/\/www.borncity.com\/blog\/2021\/10\/29\/local-privilege-escalation-schwachstelle-0-day-in-allen-windows-versionen\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]In all Windows versions, including Windows 11 and Windows Server 2022, there is an unpatched Local Privilege Escalation vulnerability. This should have been patched since August 2021, but the security update in question did not close the vulnerability completely. Fortunately, the damage is limited, as exploitability is not very easy. <\/p>\n<p><!--more--><\/p>\n<h2>Windows vulnerability CVE-2021-34484<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg08.met.vgwort.de\/na\/6e4d1a5693834475ae90da4b239ac76a\" width=\"1\" height=\"1\">In August 2021, Microsoft published security advisory <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-34484\">CVE-2021-34484<\/a> on a vulnerability in Windows User Profile Service. This vulnerability allows Local Privilege Escalation (LPE). However, details of the vulnerability reported by Abdelhamid Naceri (halov) &#8211; works for the <a href=\"https:\/\/www.zerodayinitiative.com\/\" target=\"_blank\" rel=\"noopener\">Trend Micro Zero Day Initiative<\/a> &#8211; were not provided. At the same time, Microsoft has patched the vulnerabilities in the still-supported Windows versions via the August 2021 security updates.<\/p>\n<h2>Patch bypassed<\/h2>\n<p>Security researcher Abdelhamid Naceri then looked into the matter after installing the security update and found that it did not fully close the LPE vulnerability. It was possible for him to bypass the security mechanism introduced by the Microsoft patch. Naceri points out the issue in the following <a href=\"https:\/\/twitter.com\/KLINIX5\/status\/1451558296872173577\" target=\"_blank\" rel=\"noopener\">tweet<\/a>. <\/p>\n<p><a href=\"https:\/\/twitter.com\/KLINIX5\/status\/1451558296872173577\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"CVE-2021-34484 bypass in Windows\" alt=\"CVE-2021-34484 bypass in Windows\" src=\"https:\/\/i.imgur.com\/Swi7e1M.png\"><\/a><\/p>\n<p>He described the details on <a href=\"https:\/\/web.archive.org\/web\/20220906084817\/https:\/\/github.com\/klinix5\/ProfSvcLPE\" target=\"_blank\" rel=\"noopener\">GitHub<\/a> and also <a href=\"https:\/\/web.archive.org\/web\/20220417093221\/https:\/\/github.com\/klinix5\/ProfSvcLPE\/tree\/main\/DoubleJunctionEoP\" target=\"_blank\" rel=\"noopener\">submitted a proof of concept<\/a> (PoC). With the 0-day PoC, he can achieve SYSTEM permissions under certain conditions. Security researcher Will Dormann writes in a <a href=\"https:\/\/twitter.com\/wdormann\/status\/1451672354241777667\" target=\"_blank\" rel=\"noopener\">tweet<\/a> that the PoC works. <\/p>\n<p><a href=\"https:\/\/twitter.com\/wdormann\/status\/1451672354241777667\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"CVE-2021-34484 bypass in Windows\" alt=\"CVE-2021-34484 bypass in Windows\" src=\"https:\/\/i.imgur.com\/aOY6QHV.png\"><\/a><\/p>\n<p>However, to exploit this PoC, an attacker would need to know a user's credentials. Therefore, the exploitability of the vulnerability should be low. The colleagues from Bleeping Computer have compiled some more information on the topic in <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/all-windows-versions-impacted-by-new-lpe-zero-day-vulnerability\/\" target=\"_blank\" rel=\"noopener\">this article<\/a>.&nbsp; <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]In all Windows versions, including Windows 11 and Windows Server 2022, there is an unpatched Local Privilege Escalation vulnerability. This should have been patched since August 2021, but the security update in question did not close the vulnerability completely. Fortunately, &hellip; <a href=\"https:\/\/borncity.com\/win\/2021\/10\/29\/local-privilege-escalation-schwachstelle-0-day-in-allen-windows-versionen\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,194],"class_list":["post-21910","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/21910","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=21910"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/21910\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=21910"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=21910"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=21910"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}