- Category: Vulnerability Intelligence
- Vulnerability Class: Privilege Escalation
- CVE ID: CVE-2023-21752
- CVSS:3.0 Score: 7.1 (High)
Executive Summary
THREAT
- Tracked as CVE-2023-21752 is a vulnerability which allows a basic user to execute arbitrary code on a host to delete files from specified storage path, from Windows Backup and Restore service. This action is only doable by privileged users.
- This exploit can be leveraged to privilege escalation on a host from basic user to SYSTEM user.
IMPACT
- Deletion of multiple files, outside of the basic user’s scope, due to threads facing race conditions.
- Escalation to ‘SYSTEM’ user allowing computer system takeover.
- Exploitation scenario is reduced due to sufficient patching
MITIGATION
- Operating Systems should be updated with the latest security patches.
Technical Analysis
About the Vulnerability
CloudSEK’s Threat Intelligence team has uncovered a cybercrime forum post, where an analysis of the recently disclosed CVE-2023-21752 was provided by a threat actor with a medium reputation. The vulnerability allows non-privileged users on the system to delete or modify files on the desired storage destination path. The vulnerability is triggered using the Race Condition between temporary file creation and deletion, which takes place following the authentication process.
Windows hosts that follow irregular patch installations are subjected to risk, with threat actors potentially utilizing the exploit in the wild. The bare requirement is to have a local account on the targeted system.
Following the exploit, a CMD shell gets spawned with a non-privileged users obtaining ‘SYSTEM’ privileges on the Windows host.
This vulnerability was patched by Microsoft, with the security update pushed on 10-January 2023. The vulnerability does affect Windows 7,10 and 11 OS versions.
Exploitation
A temporary file is created in the destination path by Windows Backup Service, as reassurance that the user has sufficient privileges to read or write on files stored there. This file is immediately deleted once the verification has been made. Threat actors (with low privileged accounts) can leverage the process of temporary file creation to mimic file backup on storage drives/paths that can be accessed/modified by them.
As explained by 0patch , actors can lock the temporary file and instead provide the path link to a file that they cannot modify. The exploit then proceeds to delete the file. Important system files and files created by admin users can be targeted similarly. This can be taken advantage of to delete files on the system which they otherwise cannot modify, due to the privilege level. To prevent race conditions that occur due to threads getting locked (due to simultaneous backup processes), the CheckDevicePathIsWriteable() function is implemented in the patch.
Code Analysis
The highlighted functions in the code snippets are:-
- GetTempFileNameW() - Once the actor enters their non-privileged account credentials to authenticate, Windows Backup Manager tends to create a temporary file (on the storage destination path demanded by the user). This file name is called and received by this function.
- CheckDevicePathIsWriteable() - Backup service ensures that the path is writable to the user once authentication is completed.
To prevent race conditions that occur due to threads getting locked (due to simultaneous backup processes) , the CheckDevicePathIsWriteable() function is implemented in the patch.
TO NOTE: The vulnerable function is IsWritable() called by QueryStorageDevice(), which ensures that the storage path is writable.
Race Condition leading to thread lock
Multiple temporary files can be created at once when multiple Windows backup operations are taking place at the same time. Since the creation and deletion of temporary files occur one after another, and there is no restriction on the file between the two operations, this causes the attacker to create another thread. After the temporary file is created and before the deletion, the attacker can obtain the file handle and create a lock to prevent other threads from operating. At the same time, the file is deleted, and the original file path is set to point to other files. When the lock is released, Other files pointed to will be deleted.
References
- #Traffic Light Protocol - Wikipedia
- Micropatching Arbitrary File Delete Vulnerability in Windows Backup Service (CVE-2023-21752)
- PoC for CVE 2023-21752 Github Repository
- Microsoft Security Advisory - CVE-2023-21752
Appendix
