A researcher has discovered that a Windows vulnerability for which Microsoft released an incomplete patch in August is more serious than initially believed.
Tracked as CVE-2021-34484, the bug is described by Microsoft as a Windows User Profile Service elevation of privilege, and requires local, authenticated access for exploitation. All versions of Windows, including Windows Server, are affected.
The security error resides in the User Profile Service, affecting code designed for creating a temporary user profile folder when the original profile folder is damaged.
Microsoft’s incomplete patch for the issue could be easily bypassed with only a small change in the attacker script, security researcher Abdelhamid Naceri, who discovered the vulnerability, found out.
The security error appears to have a greater impact than Microsoft’s initial assessment of it, as it could allow an attacker logged in as a regular user to execute code with System privileges.
The researcher discovered it was possible to use symbolic links to target the process of copying folders and files from the original profile folder to the temporary folder, which allows an attacker to create attacker-writable folders within a system location, and then use them to launch system processes to execute code.
Microsoft’s fix checked whether a symbolic link was used for the destination folder, and aborted the operation if so. However, the incomplete fix would only check for the symbolic link in the uppermost folder, but not in other folders along the destination path.
An attacker looking to exploit the vulnerability needs to win a race condition and possibly to obtain additional user credentials than the ones they are logged-on with, but they would have an unlimited number of attempts to successfully complete an attack.
A new CVE identifier, CVE-2021-33742, was issued for the flaw, and it is considered a zero-day, given that technical information, along with proof-of-concept (POC) code, have been public since October 22.
ACROS Security’s 0patch service has released an unofficial fix, which extends the security check to the entire destination path of the temporary folder, and aborts the creation of a temporary user profile if any symbolic links are present.
The 0patch fix is available for free until Microsoft releases an official patch for the vulnerability.
Related: Third-Party Patches Available for More PetitPotam Attack Vectors
Related: Microsoft Patch Tuesday: Windows Flaw Under Active Attack
Related: Vendor Ships Unofficial Patch for IE Zero-Day Vulnerability
More from Ionut Arghire
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
- 500k Impacted by Data Breach at Debt Buyer NCB
- Chinese Cyberspies Use ‘Melofee’ Linux Malware for Stealthy Attacks
- Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data
- OpenAI Patches Account Takeover Vulnerabilities in ChatGPT
Latest News
- Italy Temporarily Blocks ChatGPT Over Privacy Concerns
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Report: Chinese State-Sponsored Hacking Group Highly Active
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
