A Temporary Fix Issued For HiveNightmare / SeriousSAM
A security vulnerability could allow hackers to steal data and allow local privilege escalation according to researcher Abdelhamid Naceri. The issue was originally in October 2020. The issue, CVE-2021-24084, has yet to get an official fix. A micropatch has been rolled out as a stop-gap measure.
Naceri discovered that CVE-2021-24084 could also be exploited for LPE, so that non-admin users can read arbitrary files even if they don't have permission. In a proof-of-concept exploit, he demonstrated that itss possible to copy files from a chosen location into a Cabinet ( .CAB ) archive that the user can then open and read.
The vulnerability exists under the access work or school settings. A regular user can use the export your management log files function to trigger the Device Management Enrollment Service. This service first copies some log files to the C:ProgramDataMicrosoftMDMDiagnostics folder, and then packages them into a .CAB file whereby they're temporarily copied to C:WindowsTemp folder. The resulting .CAB file is then stored in the C:UsersPublicPublic DocumentsMDMDiagnostics folder, where anyone can freely access it.
When the .CAB file is copied into the Windows Temp folder, a local hacker could simply create a file shortcut link with a file name that would normally be used in the normal export process and then point it to a target folder or file that the hacker would like to access. Since the Device Management Enrollment Service runs as Local System, it can read any system file that the attacker can't.
To temporarily fix the issue, the patch checks for the presence of short-cut links during the .CAB file creation. The patch is placed immediately before the call to CopyFileW which opens the source file for copying, and uses the GetFinalPathNameByHandleW function to determine whether any junctions or other types of links are used in the path. If they are, the patch makes it look as it the CopyFileW call failed which bypasses the copying of any file that doesn't actually reside in C:WindowsTemp. Microsoft hasn't commented on a timeline for an official patch yet.