Attacker Value
High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
4

CVE-2022-26904

Disclosure Date: April 15, 2022
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Defense Evasion
Techniques
Validation
Validated
Validated
Validated
Validated
Lateral Movement
Techniques
Validation
Validated
Validated
Validated
Validated
Validated
Privilege Escalation
Techniques
Validation
Validated

Description

Windows User Profile Service Elevation of Privilege Vulnerability

Add Assessment

1
Ratings
Technical Analysis

This is a bypass for CVE-2022-21919 which is in turn a bypass for CVE-2021-34484. As noted at https://twitter.com/billdemirkapi/status/1508527492285575172, CVE-2022-21919 was already being exploited in the wild by using the binary from https://github.com/klinix5/ProfSvcLPE/blob/main/DoubleJunctionEoP/Release/UserProfileSvcEoP.exe.

The vulnerability, near as I can tell, occurs due to the CreateDirectoryJunction() function inside profext.dll not appropriately validating things before creating a directory junction between two directories. This can allow an attacker to create a directory junction between a directory they have access to and another directory that they should not have access to, thereby granting them the ability to plant files in sensitive locations and or read sensitive files.

The exploit code for this, which was originally at https://github.com/klinix5/SuperProfile but which got taken down, is now available at https://github.com/rmusser01/SuperProfile and its associated forks. I have taken this code and updated it and touched it up a bit into a Metasploit exploit module that is now available at https://github.com/rapid7/metasploit-framework/pull/16382.

This exploit code utilizes this vulnerability to plant a malicious comctl32.dll binary in a location that the Narrator.exe program will try to load the DLL from when it starts. By utilizing the ShellExecute command with the runas option, we can force a UAC prompt to come up that will run the consent.exe program to run. If the PromptOnSecureDesktop setting is set to 1 which is the default, this will result in consent.exe running as SYSTEM on the secure desktop, and a new narrator.exe instance will also spawn as SYSTEM on the secure desktop, which will then load the malicious comctl32.dll DLL and allow us to execute our code as SYSTEM.

Note that if PromptOnSecureDesktop is set to 0 under the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, then this LPE will not be possible as the UAC prompt will spawn as the current user vs as SYSTEM on the restricted desktop, and therefore we will not achieve privilege elevation, so this is a workaround for the vulnerability whilst it is not patched.

It should be noted that as this stands the current exploit requires valid credentials for another user on the system who is a non-admin user and who has permissions to log into the target computer. They must also have a profile under C:\Users for the exploit to function in its current state. There has been some rumors that it might be possible to do this without a secondary login, however nothing concrete has been found so far, so we are considering this a prerequisite for exploitation for the time being.

We, aka Rapid7, have reported this vulnerability to Microsoft and have given KLINIX5, who originally found this vulnerability and wrote the original exploit code, full credit for the discovery, however Microsoft have only given us this CVE number and have not provided a timeline on when they expect a fix for this vulnerability at this time. It is therefore recommended to use the mitigation above until an appropriate fix is developed.

CVSS V3 Severity and Metrics
Base Score:
7.0 High
Impact Score:
5.9
Exploitability Score:
1
Vector:
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
High
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • windows 10 1507,
  • windows 10 1607,
  • windows 10 1809,
  • windows 10 1909,
  • windows 10 20h2,
  • windows 10 21h1,
  • windows 10 21h2,
  • windows 11 21h2,
  • windows 7 -,
  • windows 8.1 -,
  • windows rt 8.1 -,
  • windows server 2008,
  • windows server 2008 r2,
  • windows server 2012 -,
  • windows server 2012 r2,
  • windows server 2016,
  • windows server 2019,
  • windows server 2022,
  • windows server 20h2

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis