A vulnerability that existed in every single current Window versions allowing an attacker to misuse the Windows Group Policy feature to assume full control over a computer was recently dealt with by Microsoft. The administrators of the multinational technology can remotely deal with the entirety of the Windows devices on a system through the Group Policy feature.
This element permits the administrators to make a centralized global configuration policy for their organization that is pushed out to the entirety of the Windows devices on their network. The vulnerability was quite a serious one as it was capable enough to influence all Windows variants since Windows Server 2008.
These Group Policies allow an administrator to control how a computer can be utilized, like ‘disabling settings in apps, prohibiting apps from running, enabling and disabling Windows features, and even deploying the same wallpaper on every Windows computer.’
To appropriately apply these new policies, the gpsvc service or ‘Group Policy Client’ service, is configured to run with ‘system’ privileges, which gives the same rights and permissions from the Administrator account.
However, Microsoft has already fixed the ‘CVE-2020-1317 | Group Policy Elevation Privilege Vulnerability’ discovered by cybersecurity firm CyberArk, who found a symlink attack against a file utilized for Group Policy updates to have access to elevated privileges.
“This vulnerability permits an unprivileged user in a domain environment to perform a file system attack which in turn would allow malicious users to evade anti-malware solutions, bypass security hardening, and could lead to severe damage in an organization network. This vulnerability could impact any Windows machine (2008 or higher), to escalate its privileges in a domain environment,” CyberArk state in their report.
When playing out a group policy update that applies to the entirety of the devices in an organization, Windows will compose the new policies to a computer in a subfolder of the %LocalAppData% folder that any user, including a standard user, has permission.
Having full access to a file that is known to be utilized by a procedure with SYSTEM privileges, CyberArk found that they could come up with a symbolic link between the file to an RPC command that executes a DLL.
As the Group Policy Client service runs with SYSTEM privileges, when they endeavor to apply the policies in that file, it will rather execute any DLL the attackers need with SYSTEM privileges.
To trigger this vulnerability, a local attacker could execute the gpupdate.exe program, which plays out a manual group policy synchronization, and this command would then trigger the policy update and run an attacker’s malevolent DLL.
As indicated by CyberArk, the full steps to ‘exploit’ this vulnerability would be as per the following:
- List the group policy GUIDs you have in C:UsersuserAppDataLocalMicrosoftGroup PolicyHistory
- If you have multiple GUIDs check which directory was updated recently
- Go inside this directory and into the sub-directory, which is the user SID.
- Look at the latest modified directory; this will vary in your environment. In some cases, it can be the Printers directory.
- Delete the file, Printers.xml, inside the Printers directory.
- Create an NTFS mount point to RPC Control + an Object Manager symlink with Printers.xml that points on C:WindowsSystem32whatever.dll
- Open your favorite terminal and run gpupdate.
“There you have it; an arbitrary create on arbitrary locations, you can also delete and modify system protected files by using this exploit. There is a small change in behavior that goes on based on your GPO objects (printers, devices, drives). Alas, all of them end up in EoP,” CyberArk explains.
As this vulnerability affects millions, if not conceivably a billion devices, it’s a very serious security flaw that ought to be addressed to by all Windows administrators as soon as possible.