CVE-2022-26904

Windows User Profile Service Elevation of Privilege Vulnerability

Recent assessments:

gwillcox-r7 at March 30, 2022 4:52pm UTC reported:

This is a bypass for CVE-2022-21919 which is in turn a bypass for CVE-2021-34484. As noted at <https://twitter.com/billdemirkapi/status/1508527492285575172&gt;, CVE-2022-21919 was already being exploited in the wild by using the binary from <https://github.com/klinix5/ProfSvcLPE/blob/main/DoubleJunctionEoP/Release/UserProfileSvcEoP.exe&gt;.

The vulnerability, near as I can tell, occurs due to the CreateDirectoryJunction() function inside profext.dll not appropriately validating things before creating a directory junction between two directories. This can allow an attacker to create a directory junction between a directory they have access to and another directory that they should not have access to, thereby granting them the ability to plant files in sensitive locations and or read sensitive files.

The exploit code for this, which was originally at <https://github.com/klinix5/SuperProfile&gt; but which got taken down, is now available at <https://github.com/rmusser01/SuperProfile&gt; and its associated forks. I have taken this code and updated it and touched it up a bit into a Metasploit exploit module that is now available at <https://github.com/rapid7/metasploit-framework/pull/16382&gt;.

This exploit code utilizes this vulnerability to plant a malicious comctl32.dll binary in a location that the Narrator.exe program will try to load the DLL from when it starts. By utilizing the ShellExecute command with the runas option, we can force a UAC prompt to come up that will run the consent.exe program to run. If the PromptOnSecureDesktop setting is set to 1 which is the default, this will result in consent.exe running as SYSTEM on the secure desktop, and a new narrator.exe instance will also spawn as SYSTEM on the secure desktop, which will then load the malicious comctl32.dll DLL and allow us to execute our code as SYSTEM.

Note that if PromptOnSecureDesktop is set to 0 under the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, then this LPE will not be possible as the UAC prompt will spawn as the current user vs as SYSTEM on the restricted desktop, and therefore we will not achieve privilege elevation, so this is a workaround for the vulnerability whilst it is not patched.

It should be noted that as this stands the current exploit requires valid credentials for another user on the system who is a non-admin user and who has permissions to log into the target computer. They must also have a profile under C:\Users for the exploit to function in its current state. There has been some rumors that it might be possible to do this without a secondary login, however nothing concrete has been found so far, so we are considering this a prerequisite for exploitation for the time being.

We, aka Rapid7, have reported this vulnerability to Microsoft and have given KLINIX5, who originally found this vulnerability and wrote the original exploit code, full credit for the discovery, however Microsoft have only given us this CVE number and have not provided a timeline on when they expect a fix for this vulnerability at this time. It is therefore recommended to use the mitigation above until an appropriate fix is developed.

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 3