High
CVE-2022-26904
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
High
(1 user assessed)Moderate
(1 user assessed)Unknown
Unknown
Unknown
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Windows User Profile Service Elevation of Privilege Vulnerability
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityMedium
Technical Analysis
This is a bypass for CVE-2022-21919 which is in turn a bypass for CVE-2021-34484. As noted at https://twitter.com/billdemirkapi/status/1508527492285575172, CVE-2022-21919 was already being exploited in the wild by using the binary from https://github.com/klinix5/ProfSvcLPE/blob/main/DoubleJunctionEoP/Release/UserProfileSvcEoP.exe.
The vulnerability, near as I can tell, occurs due to the CreateDirectoryJunction()
function inside profext.dll
not appropriately validating things before creating a directory junction between two directories. This can allow an attacker to create a directory junction between a directory they have access to and another directory that they should not have access to, thereby granting them the ability to plant files in sensitive locations and or read sensitive files.
The exploit code for this, which was originally at https://github.com/klinix5/SuperProfile but which got taken down, is now available at https://github.com/rmusser01/SuperProfile and its associated forks. I have taken this code and updated it and touched it up a bit into a Metasploit exploit module that is now available at https://github.com/rapid7/metasploit-framework/pull/16382.
This exploit code utilizes this vulnerability to plant a malicious comctl32.dll
binary in a location that the Narrator.exe
program will try to load the DLL from when it starts. By utilizing the ShellExecute
command with the runas
option, we can force a UAC prompt to come up that will run the consent.exe
program to run. If the PromptOnSecureDesktop
setting is set to 1
which is the default, this will result in consent.exe
running as SYSTEM
on the secure desktop, and a new narrator.exe
instance will also spawn as SYSTEM
on the secure desktop, which will then load the malicious comctl32.dll
DLL and allow us to execute our code as SYSTEM
.
Note that if PromptOnSecureDesktop
is set to 0 under the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
, then this LPE will not be possible as the UAC prompt will spawn as the current user vs as SYSTEM
on the restricted desktop, and therefore we will not achieve privilege elevation, so this is a workaround for the vulnerability whilst it is not patched.
It should be noted that as this stands the current exploit requires valid credentials for another user on the system who is a non-admin user and who has permissions to log into the target computer. They must also have a profile under C:\Users
for the exploit to function in its current state. There has been some rumors that it might be possible to do this without a secondary login, however nothing concrete has been found so far, so we are considering this a prerequisite for exploitation for the time being.
We, aka Rapid7, have reported this vulnerability to Microsoft and have given KLINIX5, who originally found this vulnerability and wrote the original exploit code, full credit for the discovery, however Microsoft have only given us this CVE number and have not provided a timeline on when they expect a fix for this vulnerability at this time. It is therefore recommended to use the mitigation above until an appropriate fix is developed.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- windows 10 1507,
- windows 10 1607,
- windows 10 1809,
- windows 10 1909,
- windows 10 20h2,
- windows 10 21h1,
- windows 10 21h2,
- windows 11 21h2,
- windows 7 -,
- windows 8.1 -,
- windows rt 8.1 -,
- windows server 2008,
- windows server 2008 r2,
- windows server 2012 -,
- windows server 2012 r2,
- windows server 2016,
- windows server 2019,
- windows server 2022,
- windows server 20h2
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: