A free and unofficial patch is now available for a zero-day local privilege escalation vulnerability in the Windows User Profile Service that lets attackers gain SYSTEM privileges under certain conditions.
The bug, tracked as CVE-2021-34484, was incompletely patched by Microsoft during the August Patch Tuesday. The company only addressed the impact of the proof-of-concept (PoC) provided by security researcher Abdelhamid Naceri who reported the issue.
Naceri later discovered that threat actors could still bypass the Microsoft patch to elevate privileges to gain SYSTEM privileges if certain conditions are met, getting an elevated command prompt while the User Account Control (UAC) prompt is displayed.
CERT/CC vulnerability analyst Will Dormann tested the CVE-2021-34484 bypass PoC exploit and found that, while it worked, it would not always create the elevated command prompt. However, in BleepingComputer's tests, it launched an elevated command prompt immediately, as shown below.
Luckily, the exploit requires attackers to know and log in with other users' credentials for exploiting the vulnerability, which means that it will likely not be as widely abused as other LPE bugs (including PrintNightmare).
The bad news is that it impacts all Windows versions, including Windows 10, Windows 11, and Windows Server 2022, even if fully patched.
Additionally, the researcher told BleepingComputer threat actors will only need another domain account to deploy the exploits in attacks, so it's definitely something admins should be concerned about.
After BleepingComputer's report on the CVE-2021-34484 bypass, Microsoft told us that they are aware of the issue and "will take appropriate action to keep customers protected."
Exploit launching an elevated command prompt behind UAC prompt (BleepingComputer)
0patch developed the micropatch using the info provided by Naceri in his write-up and PoC for the Windows User Profile Service 0day LPE.
You can apply this free patch to block attacks using the CVE-2021-34484 bypass on the following Windows versions:Windows 10 v21H1 (32 & 64 bit) updated with October or November 2021 Updates Windows 10 v20H2 (32 & 64 bit) updated with October or November 2021 Updates Windows 10 v2004 (32 & 64 bit) updated with October or November 2021 Updates Windows 10 v1909 (32 & 64 bit) updated with October or November 2021 Updates Windows Server 2019 64 bit updated with October or November 2021 Updates
"While this vulnerability already has its CVE ID (CVE-2021-33742), we're considering it to be without an official vendor fix and therefore a 0day," 0patch co-founder Mitja Kolsek explained. "Micropatches for this vulnerability will be free until Microsoft has issued an official fix."
Once you launch the agent, the micropatch is applied automatically (if there is no custom patching enterprise policy in place blocking it), without the need to reboot the device.
While this issue in theory also impacts older Windows versions, Kolsek said that "the vulnerable code is different there, making the window for winning the race condition extremely narrow and probably unexploitable."
A video demo of the CVE-2021-33742 micropatch in action is embedded below.