7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.003 Low
EPSS
Percentile
63.8%
Windows User Profile Service Elevation of Privilege Vulnerability
Recent assessments:
gwillcox-r7 at March 30, 2022 4:52pm UTC reported:
This is a bypass for CVE-2022-21919 which is in turn a bypass for CVE-2021-34484. As noted at <https://twitter.com/billdemirkapi/status/1508527492285575172>, CVE-2022-21919 was already being exploited in the wild by using the binary from <https://github.com/klinix5/ProfSvcLPE/blob/main/DoubleJunctionEoP/Release/UserProfileSvcEoP.exe>.
The vulnerability, near as I can tell, occurs due to the CreateDirectoryJunction()
function inside profext.dll
not appropriately validating things before creating a directory junction between two directories. This can allow an attacker to create a directory junction between a directory they have access to and another directory that they should not have access to, thereby granting them the ability to plant files in sensitive locations and or read sensitive files.
The exploit code for this, which was originally at <https://github.com/klinix5/SuperProfile> but which got taken down, is now available at <https://github.com/rmusser01/SuperProfile> and its associated forks. I have taken this code and updated it and touched it up a bit into a Metasploit exploit module that is now available at <https://github.com/rapid7/metasploit-framework/pull/16382>.
This exploit code utilizes this vulnerability to plant a malicious comctl32.dll
binary in a location that the Narrator.exe
program will try to load the DLL from when it starts. By utilizing the ShellExecute
command with the runas
option, we can force a UAC prompt to come up that will run the consent.exe
program to run. If the PromptOnSecureDesktop
setting is set to 1
which is the default, this will result in consent.exe
running as SYSTEM
on the secure desktop, and a new narrator.exe
instance will also spawn as SYSTEM
on the secure desktop, which will then load the malicious comctl32.dll
DLL and allow us to execute our code as SYSTEM
.
Note that if PromptOnSecureDesktop
is set to 0 under the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
, then this LPE will not be possible as the UAC prompt will spawn as the current user vs as SYSTEM
on the restricted desktop, and therefore we will not achieve privilege elevation, so this is a workaround for the vulnerability whilst it is not patched.
It should be noted that as this stands the current exploit requires valid credentials for another user on the system who is a non-admin user and who has permissions to log into the target computer. They must also have a profile under C:\Users
for the exploit to function in its current state. There has been some rumors that it might be possible to do this without a secondary login, however nothing concrete has been found so far, so we are considering this a prerequisite for exploitation for the time being.
We, aka Rapid7, have reported this vulnerability to Microsoft and have given KLINIX5, who originally found this vulnerability and wrote the original exploit code, full credit for the discovery, however Microsoft have only given us this CVE number and have not provided a timeline on when they expect a fix for this vulnerability at this time. It is therefore recommended to use the mitigation above until an appropriate fix is developed.
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 3
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.003 Low
EPSS
Percentile
63.8%