A free unofficial patch has been released to protect users from a local privilege escalation (LPE) zero-day vulnerability in Mobile Device Management Service that affects Windows 10 since version 1809.
This vulnerability exists in the “Work or School Access” setting and circumvents a patch released by Microsoft in February to address an information disclosure bug tracked as CVE-2021-24084.
https://msrc.microsoft.com/update–guide/vulnerability/CVE-2021-24084
Abdelhamid Naceri, the security researcher who first reported the vulnerability, discovered that it was also possible to exploit this unpatched flaw to gain administrative privileges after the newly discovered bug was disclosed in June 2021.
Mitja Kolsek, co-founder of 0patch
As HiveNightmare/SeriousSAM taught us, we can upgrade the publication of any file to local privilege escalation if we know which files to get and what to do with them! You can
We confirmed this by using the steps described in Raj Chandel’s blog post in combination with Abdelhamid’s bug and running the code as a local admin
Microsoft is likely also aware of the information Naceri released in June, but has not yet patched this LPE bug and Windows 10 systems with the latest security update for November 2021 are under attack.
Fortunately, an attacker can only take advantage of this vulnerability if two very specific conditions are met.
- System protection must be enabled on drive C and at least one restore point must have been created. Whether system protection is enabled or disabled by default depends on various parameters.
- At least one local administrator account must be enabled on the computer, or the credentials of at least one “Administrators” group member must be cached.
Unofficial patch for all affected Windows 10 systems
Until Microsoft releases a security update to address this security issue, the micropatch service 0patch has released a free unofficial patch for all affected Windows 10 versions (Windows 10 21 H2 is also affected, but not yet supported by 0patch).
- Windows 10 v21H1 (32 & 64 bit) Updated with November 2021 Updates
- Windows 10 v20H2 (32 & 64 bit) Updated with November 2021 Updates
- Windows 10 v2004 (32 & 64 bit) updated in November 2021 Updates
- Windows 10 v1909 (32 & 64 bit) updated in November 2021 Updates
- Windows 10 v1809 (32 & 64 bit) updated in May 2021 update
“Windows Server” is not affected as there are no vulnerable features. Similar diagnostic tools exist for servers, but they are run under the identity of the bootstrapping user and cannot be exploited.
Windows 10 v1803 and older versions of Windows 10 do not seem to be affected. Windows 10 v1803 and earlier versions of Windows 10 do not seem to be affected. These versions also have the “Access to work or school” feature, but it works differently and cannot be exploited in this way; Windows 7 does not have the “Access to work or school” feature at all.
How to install the micropatch
In order to install unofficial patches on your system, you need to register a 0patch account and install the 0patch agent.
When you start the agent on a device, the patch will be applied automatically without requiring a reboot
Using a proof-of-concept (PoC) exploit released over the weekend by Naceri, this zero-day can be successfully exploited to allow attackers to gain SYSTEM privileges on modern devices running the latest Windows versions, including Windows 10, Windows 11, and Windows Server 2022. SYSTEM privileges on modern devices running the latest Windows versions such as Windows 10, Windows 11, and Windows Server 2022.
The malware authors have begun testing this PoC exploit in a small number of attacks and appear to be focusing on testing and tweaking for a full-scale campaign in the future.
Comments