🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
CloudSEK’s Threat Intelligence team has uncovered a cybercrime forum post, where an analysis of the recently disclosed CVE-2023-21752 was provided by a threat actor with a medium reputation. The vulnerability allows non-privileged users on the system to delete or modify files on the desired storage destination path. The vulnerability is triggered using the Race Condition between temporary file creation and deletion, which takes place following the authentication process.
Windows hosts that follow irregular patch installations are subjected to risk, with threat actors potentially utilizing the exploit in the wild. The bare requirement is to have a local account on the targeted system.
Following the exploit, a CMD shell gets spawned with a non-privileged users obtaining ‘SYSTEM’ privileges on the Windows host.
This vulnerability was patched by Microsoft, with the security update pushed on 10-January 2023. The vulnerability does affect Windows 7,10 and 11 OS versions.
A temporary file is created in the destination path by Windows Backup Service, as reassurance that the user has sufficient privileges to read or write on files stored there. This file is immediately deleted once the verification has been made. Threat actors (with low privileged accounts) can leverage the process of temporary file creation to mimic file backup on storage drives/paths that can be accessed/modified by them.
As explained by 0patch , actors can lock the temporary file and instead provide the path link to a file that they cannot modify. The exploit then proceeds to delete the file. Important system files and files created by admin users can be targeted similarly. This can be taken advantage of to delete files on the system which they otherwise cannot modify, due to the privilege level. To prevent race conditions that occur due to threads getting locked (due to simultaneous backup processes), the CheckDevicePathIsWriteable() function is implemented in the patch.
The highlighted functions in the code snippets are:-
To prevent race conditions that occur due to threads getting locked (due to simultaneous backup processes) , the CheckDevicePathIsWriteable() function is implemented in the patch.
TO NOTE: The vulnerable function is IsWritable() called by QueryStorageDevice(), which ensures that the storage path is writable.
Multiple temporary files can be created at once when multiple Windows backup operations are taking place at the same time. Since the creation and deletion of temporary files occur one after another, and there is no restriction on the file between the two operations, this causes the attacker to create another thread. After the temporary file is created and before the deletion, the attacker can obtain the file handle and create a lock to prevent other threads from operating. At the same time, the file is deleted, and the original file path is set to point to other files. When the lock is released, Other files pointed to will be deleted.