Attacker Value
Unknown
(2 users assessed)
Exploitability
Unknown
(2 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
4

CVE-2021-34484

Disclosure Date: August 12, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Windows User Profile Service Elevation of Privilege Vulnerability

Add Assessment

1
Technical Analysis

Appears there may have been some confusion here. As noted at https://twitter.com/wdormann/status/1508555477491269638 and at https://twitter.com/BillDemirkapi/status/1508527487655067660/photo/1, the attackers tried to download UserProfileSvcEoP.exe from https://github.com/klinix5/ProfSvcLPE/blob/main/DoubleJunctionEoP/Release/UserProfileSvcEoP.exe. If you look at https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx you can see this is actually a patch bypass for CVE-2021-34484, and was later fixed by CVE-2022-21919.

Ironically enough this later got another patch bypass in the form of CVE-2022-26904 which at the time of writing is still unpatched.

All of these vulnerabilities exploit a logic flaw whereby the User Profile Service had a CreateDirectoryJunction() function that did not appropriately validate its input to ensure it wasn’t using symbolic links along any point of the path prior to creating a directory junction between two directories. This could be abused by attackers manipulating paths along the file path to gain code execution as the SYSTEM user by planting a DLL in a sensitive location which would then be loaded by a privileged process.

1
Technical Analysis

This bug was evidently used by LAPSUS$ in the wild as part of the attack on Okta.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • Microsoft

Products

  • Windows,
  • Windows Server,
  • Windows 10 Version 1909 for 32-bit Systems,
  • Windows 10 Version 1909 for x64-based Systems,
  • Windows 10 Version 1909 for ARM64-based Systems,
  • Windows 10 Version 21H1 for x64-based Systems,
  • Windows 10 Version 21H1 for ARM64-based Systems,
  • Windows 10 Version 21H1 for 32-bit Systems,
  • Windows 10 Version 2004 for 32-bit Systems,
  • Windows 10 Version 2004 for ARM64-based Systems,
  • Windows 10 Version 2004 for x64-based Systems,
  • Windows Server, version 2004 (Server Core installation),
  • Windows 10 Version 20H2 for x64-based Systems,
  • Windows 10 Version 20H2 for 32-bit Systems,
  • Windows 10 Version 20H2 for ARM64-based Systems,
  • Windows Server, version 20H2 (Server Core Installation)

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis