Unknown
CVE-2021-34484
CVE-2021-34484
Add Assessment
Technical Analysis
This bug was evidently used by LAPSUS$ in the wild as part of the attack on Okta.
Technical Analysis
Appears there may have been some confusion here. As noted at https://twitter.com/wdormann/status/1508555477491269638 and at https://twitter.com/BillDemirkapi/status/1508527487655067660/photo/1, the attackers tried to download UserProfileSvcEoP.exe from https://github.com/klinix5/ProfSvcLPE/blob/main/DoubleJunctionEoP/Release/UserProfileSvcEoP.exe. If you look at https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx you can see this is actually a patch bypass for CVE-2021-34484, and was later fixed by CVE-2022-21919.
Ironically enough this later got another patch bypass in the form of CVE-2022-26904 which at the time of writing is still unpatched.
All of these vulnerabilities exploit a logic flaw whereby the User Profile Service had a CreateDirectoryJunction() function that did not appropriately validate its input to ensure it wasn’t using symbolic links along any point of the path prior to creating a directory junction between two directories. This could be abused by attackers manipulating paths along the file path to gain code execution as the SYSTEM user by planting a DLL in a sensitive location which would then be loaded by a privileged process.
CVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- windows 10 -,
- windows 10 1607,
- windows 10 1809,
- windows 10 1909,
- windows 10 2004,
- windows 10 20h2,
- windows 10 21h1,
- windows 7 -,
- windows 8.1 -,
- windows rt 8.1 -,
- windows server 2008 -,
- windows server 2008 r2,
- windows server 2012 -,
- windows server 2012 r2,
- windows server 2016 -,
- windows server 2016 2004,
- windows server 2016 20h2,
- windows server 2019 -
Exploited in the Wild
