New Windows 10 zero-day vulnerability gives admin rights to attackers
A security flaw was discovered under Access work or school settings that manages to bypass the patch released by Microsoft back in February. This patch was released to fix the Windows Mobile Device Management information disclosure vulnerability.
Security researcher Abdelhamin Naceri has recently discovered that an incompletely patched flaw could be exploited to gain admin privileges after he publicly disclosed the spotted bug back in June.
I mean this is still unpatched and allow LPE if shadow volume copies are enabled;
But I noticed that it doesn't work on windows 11 https://t.co/HJcZ6ew8PO
— Abdelhamid Naceri (@KLINIX5) November 15, 2021
Mitja Kolsek who is an Opatch co-founder said that an arbitrary file disclosure can be upgraded to local privilege escalation if one knows which files to take and what to do with them. This was confirmed by using the procedure described in Rj Chandel’s blog in conjunction with Abdelhamid’s bug and being able to run code as local admin.
Microsoft is yet to release the patch for this vulnerability, leaving Windows 10 systems with the latest November 20201 security updates exposed to attack.
Luckily, this bug can only be exploited if both of the following conditions are met:
- System protection has to be enabled on the C drive with at least one restore point created.
- At least one local admin account has to be enabled on the local computer or at least one user from the Administrators group has to have its credentials cached.
And while this vulnerability can be exploited on Windows 10 v1809 and later systems, it appears that Windows 10 v1803 and later, along with all Windows Server versions are not affected.