CVE-2021-34484 is a Microsoft security vulnerability, originally patched in August but now exploitable with a patch bypass. The vulnerability could allow local privilege escalation from a regular user to System. It was discovered by security researcher Abdelhamid Naceri.
Who’s affected? The flaw’s impact includes Windows 10 (both 32- and 64-bit), versions v21H1, v20H2, v2004 and v1909, and Windows Server 2019 64-bit.
Fortunately, an unofficial micropatch from oPatch is now available to address the old-new issue.
CVE-2021-34484: Windows User Profile Service Elevation of Privilege Vulnerability
As already mentioned, the flaw, originally classified as an arbitrary directory-deletion issue, was patched as part of Microsoft’s August 2021 Patch Tuesday. Originally, because the bug required an attacker to locally log into a vulnerable machine, it was considered low-priority.
However, shortly after his discovery, security researcher Abdelhamid Naceri also realized that the bug could be exploited in privilege escalation attacks. This gave the vulnerability a whole different threat level, as system-level users have access to various network resources, including databases and servers.
The researcher also inspected Microsoft’s initial patch for CVE-2021-34484, and discovered a bypass for it via a simple tweak in the exploit code he had developed. This subsequently changed the status of the vulnerability to zero-day.
How can the vulnerability be exploited?
According to Mitja Kolsek from 0Patch, “the crux of the attack is in quickly creating a symbolic link in the temporary user profile folder (C:\Users\TEMP) so that when the User Profile Service copies a folder from user’s original profile folder, it will end up creating a folder somewhere else – where the attacker would normally not have permissions to create one.”
When the User Profile Service copies a folder from the user’s original profile folder, the symbolic link will force it to create a folder containing a malicious DLL payload in a location where the attacker wouldn’t normally have permissions.
The unofficial micropatch fixes the issue by extending the security check for symbolic links to the entire destination path and calling the “GetFinalPathNameByHandle” function.
“Our micropatch extends the incomplete security check from Microsoft’s fix to the entire destination path by calling GetFinalPathNameByHandle and thus resolving any symbolic links it may contain. Then, by comparing the original path and the “resolved” path, it determines whether any symbolic links are present; if not, original code execution is resumed, otherwise the creation of a temporary user profile is aborted,” 0Patch explained.
“Micropatches for this vulnerability will be free until Microsoft has issued an official fix,” the team added.