Microsoft has released a fix for an elevation-of-privilege flaw in Windows Group Policy that affects all supported versions of Windows.
Windows Group Policy is used by admins to create Group Policy Objects (GPO) that enforce settings and software, including antivirus and firewalls, on Windows devices as well as on other networked devices, such as printers, on the same Active Directory domain.
GPOs should only be controlled by a domain admin. However, Eran Shimony, of security firm CyberArk, found that any machine on the domain can be used by an attacker to perform a file-system attack that allows them to request a policy update and override policy settings. Doing so could let an attacker disable antivirus like Microsoft Defender.
SEE: Cheat sheet: Windows 10 PowerToys (free PDF)
“A group policy update can be requested manually by a local non-privileged user,” explained Shimony. “So, if you manage to find a bug in the group policy update process, you can trigger it yourself whenever you want to – making a potential attack easier.
“Instead of waiting for the 90 minutes (the default time period to push group policy updates on a domain environment with 30 minutes time delta) or so, which is the default time to push group policy updates on a domain environment, an admin could force it immediately.”
According to Microsoft, the bug exists because Group Policy improperly checks access in Windows, allowing an attacker who exploited the vulnerability to run processes in an elevated context.
“To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system,” Microsoft said.
Microsoft rated the bug, CVE-2020-1317, as “important” and says exploitation is less likely. Nonetheless, it affects all versions of Windows 10 through to Windows Server 2008.
Shimony’s exploit targets gpsvc, the Windows local group policy service, and the Globally Unique Identifier (GUID) used within Windows Group Policy.
“If we manage to find an unsafe file operation it performs, we can, presumably, reparse to another file using a file manipulation attack,” he notes.
He goes on to explain the various ways a GPO can be linked to different resources – for example, to a local or remote computer, to a site, a domain, or an organizational unit.
“It turns out that the value of this parameter determines where the local service will write it to the group policy. If you link a GPO to a machine, it will have the value C:ProgramDataMicrosoftGroup PolicyHistory{GUID}MachinePreferencesApplied-ObjectApplied-Object.xml.
SEE: Windows 10 2004: Microsoft warns of a new bug that makes connected displays go black
“However, if GPOLink has the value of GPLinkOrganizationalUnit, then it applies to every user and computer in the domain and GPSVC will copy the policies into a path that is accessible by the local user.”
Shimony details seven steps it takes to exploit the vulnerability to create files on arbitrary locations, including deleting and modifying system protect files.
- List the group policy GUIDs you have in C:UsersuserAppDataLocalMicrosoftGroup PolicyHistory.
- If you have multiple GUIDs, check which directory was updated recently.
- Go inside this directory and into the sub-directory, which is the user SID.
- Look at the latest modified directory; this will vary in your environment. In his case, it was the Printers.
- Delete the file, xml inside the Printers directory.
- Create an NTFS mount point to RPC Control + an Object Manager symlink with xml that points on C:WindowsSystem32whatever.dll.
- Open your favorite terminal and run gpupdate.
Microsoft released the patch as part of this week’s monster Patch Tuesday update, a year after Shimony had reported the bug to the company.
Microsoft immediately opened a case, according to Shimony, but the company took until January to confirm it would deliver a patch in Q2 2020 due to the complexity of the problem.
Had Google Project Zero reported the flaw, it would have disclosed the bug 90 days after reporting it to Microsoft, which prefers coordinated disclosure rather than Google’s hard deadline.