A free, unofficial patch is available for a local privilege escalation zero-day vulnerability in the Windows User Profile Service that allows an attacker to gain SYSTEM privileges under certain conditions.
https ://blog.0patch.com/2021/11/micropatching-incompletely-patched.html
This vulnerability exists in the user profile service.
In particular, it exists in the code that creates a temporary user profile folder if the user’s original profile folder is corrupted or locked for any reason.
The process of copying folders and files from the user’s original profile folder to the temporary profile folder (running as a local system) is attacked with symbolic links, creating a folder in the system location that is writable by the attacker, and then We discovered that a system process that is launched could load and execute the attacker’s DLL.
This vulnerability, tracked as CVE-2021-34484, was incompletely patched by Microsoft in the August Update.
Microsoft only addressed the impact of the proof of concept (PoC) provided by security researcher Abdelhamid Naceri, who reported the issue, but then certain conditions were met and the elevated User Account Control (UAC) prompt was displayed while We discovered that once the command prompt was obtained, an attacker could bypass Microsoft’s patch to elevate privileges and gain SYSTEM privileges.
We tested the CVE-2021-34484 bypass PoC exploit and it immediately launched an elevated command prompt.
Fortunately, this vulnerability is not likely to be as widely exploited as other LPE bugs (including PrintNightmare) because it requires the attacker to know the credentials of another user and log in in order to exploit it.
On the other hand, the vulnerability affects devices running all Windows versions, including Windows 10, Windows 11, and Windows Server 2022.
He further stated that the attacker only needs a separate domain account to deploy the exploit during the attack.
After reporting on the bypass of CVE-2021-34484, Microsoft said it is aware of the issue and will “take appropriate action to protect our customers.”
While Microsoft is working on a security update to address this zero-day flaw, 0patch, a micropatch service, has released a free unofficial patch (called a micropatch).
0patch has developed a micropatch based on the information provided in the article and PoC on Windows User Profile Service 0day LPE.
Applying this free patch will block attacks using the CVE-2021-34484 bypass on the following Windows versions.
- Windows 10 v21H1 (32 & 64 bit) Updated with October or November 2021 Updates
- Windows 10 v20H2 (32 & 64 bit) Updated with October or November 2021 Updates
- Windows 10 v2004 (32 & 64 bit) Updated with October or November 2021 Updates
- Windows 10 v1909 (32 & 64 bit) has been updated with October or November 2021 Updates.
- Windows Server 2019 64 bit has been updated with the October or November 2021 update.
This vulnerability has already been assigned a CVE ID (CVE-2021-33742), but since there is no official fix from the vendor, it is considered 0day.
In order to install this unofficial patch on your system, you must first register a 0patch account and install the 0patch agent.
When the agent is started, the micropatches are automatically applied (if not blocked by the enterprise policy for custom patches) and there is no need to reboot the device.
Here’s a video demonstration of the CVE-2021-33742 micropatch in action
Comments