CVE-2023-21752: Privilege Escalation Vulnerability on Windows Backup Service

CloudSEK’s Threat Intelligence team has uncovered a cybercrime forum post, where an analysis of the recently disclosed CVE-2023-21752 was provided by a threat actor with a medium reputation
Updated on
April 19, 2023
Published on
February 21, 2023
Read MINUTES
Subscribe to the latest industry news, threats and resources.
  • Category: Vulnerability Intelligence
  • Vulnerability Class: Privilege Escalation
  • CVE ID: CVE-2023-21752
  • CVSS:3.0 Score: 7.1 (High)

Executive Summary

THREAT

  • Tracked as CVE-2023-21752 is a vulnerability which allows a basic user to execute arbitrary code on a host to delete files from specified storage path, from Windows Backup and Restore service. This action is only doable by privileged users.
  • This exploit can be leveraged to privilege escalation on a host from basic user to SYSTEM user.

IMPACT

  • Deletion of multiple files, outside of the basic user’s scope, due to threads facing race conditions.
  • Escalation to ‘SYSTEM’ user allowing computer system takeover.
  • Exploitation scenario is reduced due to sufficient patching

MITIGATION

  • Operating Systems should be updated with the latest security patches.  

Technical Analysis

About the Vulnerability

CloudSEK’s Threat Intelligence team has uncovered a cybercrime forum post, where an analysis of the recently disclosed CVE-2023-21752 was provided by a threat actor with a medium reputation. The vulnerability allows non-privileged users on the system to delete or modify files on the desired storage destination path. The vulnerability is triggered using the Race Condition between temporary file creation and deletion, which takes place following the authentication process.

Windows hosts that follow irregular patch installations are subjected to risk, with threat actors potentially utilizing the exploit in the wild. The bare requirement is to have a local account on the targeted system.

Following the exploit, a CMD shell gets spawned with a non-privileged users obtaining ‘SYSTEM’ privileges on the Windows host.

Exploit code is successfully executed, leading to file deletion by normal user

This vulnerability was patched by Microsoft, with the security update pushed on 10-January 2023. The vulnerability does affect Windows 7,10 and 11 OS versions.

Exploitation

A temporary file is created in the destination path by Windows Backup Service, as reassurance that the user has sufficient privileges to read or write on files stored there. This file is immediately deleted once the verification has been made. Threat actors (with low privileged accounts) can leverage the process of temporary file creation to mimic file backup on storage drives/paths that can be accessed/modified by them. 

As explained by 0patch , actors can lock the temporary file and instead provide the path link to a file that they cannot modify. The exploit then proceeds to delete the file. Important system files and files created by admin users can be targeted similarly. This can be taken advantage of to delete files on the system which they otherwise cannot modify, due to the privilege level. To prevent race conditions that occur due to threads getting locked (due to simultaneous backup processes), the CheckDevicePathIsWriteable() function is implemented in the patch.

Escalation to ‘SYSTEM’ user on the host

Code Analysis

The highlighted functions in the code snippets are:-

  • GetTempFileNameW() - Once the actor enters their non-privileged account credentials to authenticate, Windows Backup Manager tends to create a temporary file (on the storage destination path demanded by the user). This file name is called and received by this function. 
  • CheckDevicePathIsWriteable() - Backup service ensures that the path is writable to the user once authentication is completed.

To prevent race conditions that occur due to threads getting locked (due to simultaneous backup processes) , the CheckDevicePathIsWriteable() function is implemented in the patch.

TO NOTE: The vulnerable function is IsWritable() called by QueryStorageDevice(), which ensures that the storage path is writable.

Race Condition leading to thread lock

Multiple temporary files can be created at once when multiple Windows backup operations are taking place at the same time. Since the creation and deletion of temporary files occur one after another, and there is no restriction on the file between the two operations, this causes the attacker to create another thread. After the temporary file is created and before the deletion, the attacker can obtain the file handle and create a lock to prevent other threads from operating. At the same time, the file is deleted, and the original file path is set to point to other files. When the lock is released, Other files pointed to will be deleted.

References

Appendix

Mention of the CVE on a Russian-speaking cybercrime forum


Post discussing the exploit

Various mentions of this CVE and the exploit PoC have been found on Russian-speaking Telegram channels

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations