DSInternals Credential Roaming Elevation of Privilege Vulnerability

Impact

A vulnerability exists in the DSInternals.Common.Data.RoamedCredential.Save() method, which incorrectly parses the msPKIAccountCredentials LDAP attribute values. As a consequence, a malicious actor would be able to modify the file system of the computer where an application using this function is executed with administrative privileges.

A similar security issue used to be present in the Windows operating system, as DSInternals re-implements the Credential Roaming feature of Windows.

Exploitability

The vulnerability can be exploited under the following circumstances:

• An attacker is able to modify the msPKIAccountCredentials attribute of a user account in Active Directory. This attribute is used by the Credential Roaming feature of Windows and each AD user can modify their own roamed credentials. AND
• A 3rd party application uses the DSInternals.Common library to export roamed credentials from Active Directory to a file system. AND
• The application has administrative privileges on the local system.

The probability of any 3rd-party product using the DSInternals.Common library being affected by this vulnerability is extremely low.

Patches

The issue had been fixed in DSInternals 4.8.

References

https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming