EoP via Arbitrary File Write/Overwite in Group Policy Client “gpsvc” – CVE-2022-37955

Summary A standard domain user can exploit Arbitrary File Write/Overwrite with NT AUTHORITY\SYSTEM under certain circumstances if Group Policy “File Preference” is configured. I reported this finding to ZDI and Microsoft fixed this in CVE-2022-37955 Versions Affected Tests (April 06, 2022) were conducted on the following Active Directory setup: Domain computer: Windows 10/Windows 11 &…

Advertisement

LocalPotato – When Swapping The Context Leads You To SYSTEM

Here we are again with our (me and @splinter_code) new *potato flavor, the LocalPotato! This was a cool finding so we decided to create a dedicated website 😉 The journey to discovering the LocalPotato began with a hint from our friend Elad Shamir, who suggested examining the "Reserved" field in NTLM Challenge messages for potential…

Giving JuicyPotato a second chance: JuicyPotatoNG

Well, it's been a long time ago since our beloved JuicyPotato has been published. Meantime things changed and got fixed (backported also to Win10 1803/Server2016) leading to the glorious end of this tool which permitted to elevate to SYSTEM user by abusing impersonation privileges on Windows systems. With Juicy2 it was somehow possible to circumvent…

Group Policy Folder Redirection CVE-2021-26887

Two years ago (march 2020), I found this sort of "vulnerability" in Folder Redirection policy and reported it to MSRC. They acknowledged it with CVE-2021-26887 even if they did not really fix the issue ("folder redirection component interacts with the underlying NTFS file system has made this vulnerability particularly challenging to fix"). The proposed solution…

A not-so-common and stupid privilege escalation

Some time ago, I was doing a Group Policy assessment in order to check for possible misconfigurations. Apart running the well known tools, I usually take a look at the shared SYSVOL policy folder. The SYSVOL folder is accessible in read-only by all domain users & domain computers. My attention was caught at some point…

Hands off my (MS) cloud services!

Ok, this title is deliberately provocative, but the goal of this post is just to share some (as usual) "quick & dirty" tricks with all of you concerned about securing your Microsoft's O365/Exchange/AzureAD online instances. If you are facing the problem of having one or more services exposed on Microsoft cloud and want to have…

Hands off my IIS accounts!

As promised in my previous post, I will (hopefully) give you some advices on how to harden the IIS "Application Pool" accounts aka "identities". First of all we need to understand how IIS architecture works and how identities are managed. Therefore I suggest you to read some specific posts about this topic for example this…

Hands off my service account!

Windows service accounts are one of the preferred attack surface for privilege escalation. If you are able to compromise such an account, it is quite easy to get the highest privileges, mainly due to the powerful impersonation privileges that are granted by default to services by the operating system. Even if Microsoft introduced WSH (Windows…

When a stupid oplock leads you to SYSTEM

As promised in my previous post, I'm going to show you the second method I found in order to circumvent CVE-2020-1317. Prerequisites Domain user has access to a domain joined Windows machineDomain user must be able to create a subdirectory under “Datastore\0” which is theoretically no more possible. But as we will see there are…

When ntuser.pol leads you to SYSTEM

This is a super short writeup following my previous post . My last sentence was a kind of provocation because I already knew that there were at least 2 "bypasses" for CVE-2020-1317. I did not submit them because I totally disagree with recent MSRC changes in their policies, so when I discovered that they were…