Researchers have discovered a new Windows zero-day privilege escalation vulnerability affecting all Windows versions.
In August, Microsoft released a security patch for the CVE-2021-34484 Windows User Provisioning Service Privilege Escalation Vulnerability. After the patch was released, security researcher Naceri discovered that the patch did not fully fix the vulnerability and could be bypassed using a new exploit.
In a previous analysis of the CVE-2021-34484 vulnerability, a user could abuse the user configuration service to create a second junction. However, in both the ZDI security bulletin and the Microsoft patch, the vulnerability is regarded as an arbitrary directory deletion directory. Microsoft only fixed the appearance of the vulnerability, but did not solve the essential problem. Researchers can still achieve privilege escalation by modifying the previous PoC exploit.
The exploit requires the attacker to know another user’s username and password, but is not as severe as other privilege escalation flaws. Dormann, a CERT/CC vulnerability analyst, tested the vulnerability and found that the exploit did not successfully create an elevated command line every time. After testing the vulnerability, BleepingComputer researchers successfully launched an elevated command line window:
The exploit starts the command line with system privileges
For now, the good news about this vulnerability is that exploits require an attacker to know another user’s username and password to trigger the vulnerability, so it may not be widely used in attacks. The bad news is that the vulnerability affects all Windows versions, including the latest Windows versions like Windows 10, Windows 11, and Windows server 2022.