Security News > 2021 > November > Unpatched Windows Zero-Day Allows Privileged File Access
In a proof-of-concept exploit, he demonstrated that it's possible to copy files from a chosen location into a Cabinet archive that the user can then open and read. I mean this is still unpatched and allow LPE if shadow volume copies are enabled; But I noticed that it doesn't work on windows 11 https://t.
"The resulting.CAB file is then stored in the C:UsersPublicPublic DocumentsMDMDiagnostics folder, where the user can freely access it."
CAB file is copied into the Windows Temp folder, a local attacker can pounce.
The adversary would simply create a file shortcut link with a predictable file name that would normally be used in the normal export process, pointing to a target folder or file that the attacker would like to access.
"Our patch is placed immediately before the call to CopyFileW that opens the source file for copying, and uses the GetFinalPathNameByHandleW function to determine whether any junctions or other types of links are used in the path. If they are, our patch makes it look as it the CopyFileW call has failed, thereby silently bypassing the copying of any file that doesn't actually reside in C:WindowsTemp."
Windows Servers are not affected, and neither are Windows 11, Windows 10 v1803 and older Windows 10 versions.
News URL
https://threatpost.com/unpatched-windows-zero-day-privileged-file-access/176609/
Related news
- Lazarus hackers exploited Windows zero-day to gain Kernel privileges (source)
- Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks (source)
- Windows Kernel bug fixed last month exploited as zero-day since August (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Telegram fixes Windows app zero-day caused by file extension typo (source)
- Telegram fixes Windows app zero-day used to launch Python scripts (source)