CVE-2023-35359 | Windows | LPE
| Vulnerability | CVE-2022-22047 CVE-2022-37989 CVE-2022-41073 CVE-2022-29104 CVE-2023-36874 CVE-2023-35359 |
|---|---|
| Type | Local privilege escalation (LPE) |
| Description | A class of vulnerabilities affecting Microsoft Windows since 2015 and leading to elevation of privilege, which allows the normal user to gain SYSTEM privileges on the vulnerable host. Root Cause The root cause for this attack surface is the ability of a normal user to change the original C drive to a fake drive through placing a symlinks for the system drives in the per-login session device map and this fake drive will be followed by the kernel during impersonation instead of the original system drive. Some applications vulnerable to this attack surface are native Windows services which run by default on most Windows versions including: 1. CSRSS 2. WER - Windows error reporting 3. File history service 4. BITS - Background intelligence transfer service 5. PrintSpooler service |
| How to check if it was exploited or any attempts are there | Analyzing most of the exploits targeting this attack surface we observed a common behavior could be used as an indicator if there were any attempts of exploitations: 1. Most of the in-wild exploits are creating a writable folder inside the C drive, the structure of this folder should mimic the structure of the original C drive for example: C:\Windows\System32 -> C:\FakeFolder\Windows\System32 C:\Windows\WinSxS -> C:\FakeFolder\Windows\WinSxS so finding a writable folder mimicking the C drive folders structure maybe an indicator for exploitation attempt. 2. Copy operation for the manifest files from the original WinSxS folder inside C:\Windows\WinSxS to a writable directory and modifying them could be a good indicator for exploitation attempt. 3. Manifest files containing XML undocumented attributes like LoadFrom or manifest files containing path traversal in the name attributes could be a valid sign of exploitation attempt. 4. Creating a symbolic link from original system drive to a writable directory, especially from medium integrity processes using \\RPC Control object directory. |
| Microsoft Patch | However this attack surface is now patched, it is still a very easy way to have a local admin on unpatched version of windows. Microsoft patched this vulnerable surface by modifying a function in the kernel mode called ObpLookupObjectName to ignorethe device map from the impersonation token if the object to be looked up is a file object and the call to ObpUseSystemDeviceMap return success. |
| Securelist blog | https://securelist.com/windows-vulnerabilities/112232/ |
| References | https://bugs.chromium.org/p/project-zero/issues/detail?id=2451 https://bugs.chromium.org/p/project-zero/issues/detail?id=240 https://github.com/ly4k/SpoolFool https://github.com/Wh04m1001/CVE-2023-36874 |