Windows’s File History Service Flaw Let Attackers Escalate Privileges
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A Privilege Escalation was recently discovered, which affects Windows’s File History service and can be used by threat actors to gain escalated privileges on a Windows System.
This issue was reported to Microsoft, and necessary patches have been published to fix this vulnerability.
File History for Windows is a backup and restore feature that automatically backs up the data stored in Libraries, Desktops, Favourites folder, etc. It can also backup the data to an external source like USB, Flash drive, or HDD.
CVE-2023-35359 – Windows Privilege Escalation
This vulnerability exists since the File History runs with system privileges that can be exploited to elevate the privileges from a normal user to a system user in order to perform malicious activities as a system user.
When the File History service is started, it loads the core file fhsvc.dll and the CManagerThread::QueueBackupForLoggedOnUser function, which is found to be vulnerable. This function simulates the logged-in user and loads the fhcfg.dll file, which is the root cause of this vulnerability.
File History can be manually started by a normal user, and additionally, the DosDevices can also be modified. Moreover, when fhcfg.dll is loaded, it also contains the resource for a manifest, and the csrss.exe (Client/Server Runtime Subsystem) also impersonates the identity of the normal user.
A normal user can modify the DosDevices to point to a fake directory like C:\Users\Public\test, followed by the csrss.exe. The fake directory must contain a link to another DLL, which will be used for escalating privileges.
SSD Disclosure has published a complete report, which provides detailed information about the proof-of-concept, exploitation method, and the core cause of this vulnerability.
Affected Products
Product Platforms Affected Versions Windows Server 2019x64-based Systemsaffected from 10.0.0 before 10.0.17763.4737Windows 10 Version 180932-bit Systems, x64-based Systems, ARM64-based Systemsaffected from 10.0.0 before 10.0.17763.4737Windows Server 2019 (Server Core installation)x64-based Systemsaffected from 10.0.0 before 10.0.17763.4737Windows Server 2022x64-based Systemsaffected from 10.0.0 before 10.0.20348.1906affected from 10.0.0 before 10.0.20348.1903Windows 11 version 21H2x64-based Systems, ARM64-based Systemsaffected from 10.0.0 before 10.0.22000.2295Windows 10 Version 21H232-bit Systems, ARM64-based Systemsaffected from 10.0.0 before 10.0.19044.3324Windows 11 version 22H2ARM64-based Systems, x64-based Systemsaffected from 10.0.0 before 10.0.22621.2134Windows 10 Version 22H2x64-based Systems, ARM64-based Systems, 32-bit Systemsaffected from 10.0.0 before 10.0.19045.3324Windows 10 Version 150732-bit Systems, x64-based Systemsaffected from 10.0.0 before 10.0.10240.20107Windows 10 Version 160732-bit Systems, x64-based Systemsaffected from 10.0.0 before 10.0.14393.6167Windows Server 2016x64-based Systemsaffected from 10.0.0 before 10.0.14393.6167Windows Server 2016 (Server Core installation)x64-based Systemsaffected from 10.0.0 before 10.0.14393.6167Windows Server 2008 Service Pack 232-bit Systemsaffected from 6.0.0 before 6.0.6003.22216Windows Server 2008 Service Pack 2 (Server Core installation)32-bit Systems, x64-based Systemsaffected from 6.0.0 before 6.0.6003.22216Windows Server 2008 Service Pack 2x64-based Systemsaffected from 6.0.0 before 6.0.6003.22216Windows Server 2008 R2 Service Pack 1x64-based Systemsaffected from 6.1.0 before 6.1.7601.26664Windows Server 2008 R2 Service Pack 1 (Server Core installation)x64-based Systemsaffected from 6.0.0 before 6.1.7601.26664Windows Server 2012x64-based Systemsaffected from 6.2.0 before 6.2.9200.24414Windows Server 2012 (Server Core installation)x64-based Systemsaffected from 6.2.0 before 6.2.9200.24414Windows Server 2012 R2x64-based Systemsaffected from 6.3.0 before 6.3.9600.21503Windows Server 2012 R2 (Server Core installation)x64-based Systemsaffected from 6.3.0 before 6.3.9600.21503Source: cve.org
Users of these products are recommended to upgrade to the latest version, as mentioned by Microsoft.
#Cyber_Security_News #Vulnerability #cyber_security #vulnerability #windows
Оригинальная версия на сайте:
Windows’s File History Service Flaw Let Attackers Escalate Privileges
Author: EswarA Privilege Escalation was recently discovered, which affects Windows’s File History service and can be used by threat actors to gain escalated privileges on a Windows System.
This issue was reported to Microsoft, and necessary patches have been published to fix this vulnerability.
File History for Windows is a backup and restore feature that automatically backs up the data stored in Libraries, Desktops, Favourites folder, etc. It can also backup the data to an external source like USB, Flash drive, or HDD.
CVE-2023-35359 – Windows Privilege Escalation
This vulnerability exists since the File History runs with system privileges that can be exploited to elevate the privileges from a normal user to a system user in order to perform malicious activities as a system user.
When the File History service is started, it loads the core file fhsvc.dll and the CManagerThread::QueueBackupForLoggedOnUser function, which is found to be vulnerable. This function simulates the logged-in user and loads the fhcfg.dll file, which is the root cause of this vulnerability.
File History can be manually started by a normal user, and additionally, the DosDevices can also be modified. Moreover, when fhcfg.dll is loaded, it also contains the resource for a manifest, and the csrss.exe (Client/Server Runtime Subsystem) also impersonates the identity of the normal user.
A normal user can modify the DosDevices to point to a fake directory like C:\Users\Public\test, followed by the csrss.exe. The fake directory must contain a link to another DLL, which will be used for escalating privileges.
SSD Disclosure has published a complete report, which provides detailed information about the proof-of-concept, exploitation method, and the core cause of this vulnerability.
Affected Products
Product Platforms Affected Versions Windows Server 2019x64-based Systemsaffected from 10.0.0 before 10.0.17763.4737Windows 10 Version 180932-bit Systems, x64-based Systems, ARM64-based Systemsaffected from 10.0.0 before 10.0.17763.4737Windows Server 2019 (Server Core installation)x64-based Systemsaffected from 10.0.0 before 10.0.17763.4737Windows Server 2022x64-based Systemsaffected from 10.0.0 before 10.0.20348.1906affected from 10.0.0 before 10.0.20348.1903Windows 11 version 21H2x64-based Systems, ARM64-based Systemsaffected from 10.0.0 before 10.0.22000.2295Windows 10 Version 21H232-bit Systems, ARM64-based Systemsaffected from 10.0.0 before 10.0.19044.3324Windows 11 version 22H2ARM64-based Systems, x64-based Systemsaffected from 10.0.0 before 10.0.22621.2134Windows 10 Version 22H2x64-based Systems, ARM64-based Systems, 32-bit Systemsaffected from 10.0.0 before 10.0.19045.3324Windows 10 Version 150732-bit Systems, x64-based Systemsaffected from 10.0.0 before 10.0.10240.20107Windows 10 Version 160732-bit Systems, x64-based Systemsaffected from 10.0.0 before 10.0.14393.6167Windows Server 2016x64-based Systemsaffected from 10.0.0 before 10.0.14393.6167Windows Server 2016 (Server Core installation)x64-based Systemsaffected from 10.0.0 before 10.0.14393.6167Windows Server 2008 Service Pack 232-bit Systemsaffected from 6.0.0 before 6.0.6003.22216Windows Server 2008 Service Pack 2 (Server Core installation)32-bit Systems, x64-based Systemsaffected from 6.0.0 before 6.0.6003.22216Windows Server 2008 Service Pack 2x64-based Systemsaffected from 6.0.0 before 6.0.6003.22216Windows Server 2008 R2 Service Pack 1x64-based Systemsaffected from 6.1.0 before 6.1.7601.26664Windows Server 2008 R2 Service Pack 1 (Server Core installation)x64-based Systemsaffected from 6.0.0 before 6.1.7601.26664Windows Server 2012x64-based Systemsaffected from 6.2.0 before 6.2.9200.24414Windows Server 2012 (Server Core installation)x64-based Systemsaffected from 6.2.0 before 6.2.9200.24414Windows Server 2012 R2x64-based Systemsaffected from 6.3.0 before 6.3.9600.21503Windows Server 2012 R2 (Server Core installation)x64-based Systemsaffected from 6.3.0 before 6.3.9600.21503Source: cve.org
Users of these products are recommended to upgrade to the latest version, as mentioned by Microsoft.
#Cyber_Security_News #Vulnerability #cyber_security #vulnerability #windows
Оригинальная версия на сайте:
