A researcher has discovered that a Windows vulnerability for which Microsoft released an incomplete patch in August is more serious than initially believed.
Tracked as CVE-2021-34484, the bug is described by Microsoft as a Windows User Profile Service elevation of privilege, and requires local, authenticated access for exploitation. All versions of Windows, including Windows Server, are affected.
The security error resides in the User Profile Service, affecting code designed for creating a temporary user profile folder when the original profile folder is damaged.
Microsoft’s incomplete patch for the issue could be easily bypassed with only a small change in the attacker script, security researcher Abdelhamid Naceri, who discovered the vulnerability, found out.
The security error appears to have a greater impact than Microsoft’s initial assessment of it, as it could allow an attacker logged in as a regular user to execute code with System privileges.
The researcher discovered it was possible to use symbolic links to target the process of copying folders and files from the original profile folder to the temporary folder, which allows an attacker to create attacker-writable folders within a system location, and then use them to launch system processes to execute code.
Microsoft’s fix checked whether a symbolic link was used for the destination folder, and aborted the operation if so. However, the incomplete fix would only check for the symbolic link in the uppermost folder, but not in other folders along the destination path.
An attacker looking to exploit the vulnerability needs to win a race condition and possibly to obtain additional user credentials than the ones they are logged-on with, but they would have an unlimited number of attempts to successfully complete an attack.
A new CVE identifier, CVE-2021-33742, was issued for the flaw, and it is considered a zero-day, given that technical information, along with proof-of-concept (POC) code, have been public since October 22.
ACROS Security’s 0patch service has released an unofficial fix, which extends the security check to the entire destination path of the temporary folder, and aborts the creation of a temporary user profile if any symbolic links are present.
The 0patch fix is available for free until Microsoft releases an official patch for the vulnerability.