Security News > 2021 > November > Windows 10 Privilege-Escalation Zero-Day Gets an Unofficial Fix

A partially unpatched security bug in Windows that could allow local privilege escalation from a regular user to System remains unaddressed fully by Microsoft - but an unofficial micropatch from oPatch has hit the scene.

"The vulnerability lies in the User Profile Service, specifically in the code responsible for creating a temporary user profile folder in case the user's original profile folder is damaged or locked for some reason," explained 0Patch's Mitja Kolsek in a Thursday writeup.

The exploit is straightforward: An attacker would create a specially crafted symbolic link, then would need to save it in the temporary user profile folder.

When the User Profile Service copies a folder from user's original profile folder as described by Kolsek, the symbolic link will force it to create a folder containing a malicious library payload somewhere else where the attacker would normally not have permissions to create one.

"Microsoft, even though believing the vulnerability only allowed for deletion of an arbitrarily 'symlinked' folder, made a conceptually correct fix: it checked whether the destination folder under C:UsersTEMP was a symbolic link, and aborted the operation if so," explained Kolsek.

"The incompleteness of this fix, as noticed by Abdelhamid, was in the fact that the symbolic link need not be in the upper-most folder, but in any folder along the destination path."

News URL

https://threatpost.com/windows-10-privilege-escalation-zero-day-unofficial-fix/176313/