Friday, January 15, 16:39
Home security Windows Group Policy: Error allows intruders to gain administrator rights

Windows Group Policy: Error allows intruders to gain administrator rights

Η Microsoft corrected an error found in all current publications and allows intruders to take advantage of Windows Group Policy to gain full control of a computer. This error found in Windows Group Policy affects all versions of Windows from Windows Server 2008 onwards. Windows administrators can handle all of them remotely Appliances Windows on a network through the "Group Policy" feature. In particular, this feature allows administrators to create a centralized global configuration policy for their organization, which is forwarded to all Windows devices on their network. These policies allow an administrator to control how a computer can be used, such as disabling settings in applications, banning applications, enabling and disabling Windows functions, and even developing the same wallpaper on any Windows computer.

To control new Windows group policies, Windows devices use it service "Group Policy Client" or "gpsvc" that will be regularly connected to the domain controller and will check for new updates group policies. For the proper implementation of these new group policies, the "gpsvc" service is configured to operate with "SYSTEM" privileges, which provide the same permissions and permissions as the administrator account.

The Group Policy Client service allows intruders to escalate privileges
As part of the updates security of Patch Tuesday, June 2020, Microsoft has fixed CVE-2020-1317 (privilege scaling error in Group Policy) that allows local intruders to execute any command with administrator privileges. This bug was discovered by the cybersecurity company CyberArk, which identified an attack on symlink, in a file used for group policy updates to gain increased privileges. This error could affect any Windows computer (2008 or later). When you run a policy group update that applies to all devices on an organization, Windows will write the new policies on a computer in a folder subfolder.% LocalAppData%, for which each user, including a typical user, is licensed. For example, if the policy is related to printers, it will be stored in: C: \ Users \ [user] \ AppData \ Local \ Microsoft \ Group Policy \ History {szGPOName. \ USER-SID \ Preferences \ Printers \ Printers.xml. Having full access in a file known to be used by a "SYSTEM" privileged process, CyberArk discovered that they could create a symbolic link between the file in an RPC command running a DLL.

As the Group Policy Client service operates with "SYSTEM" permissions, when they attempt to enforce the policies in this file, it will instead execute any DLL that the intruders want with "SYSTEM" permissions. To activate this error, local intruders could run gpupdate.exe, which manually synchronizes Group Policy. This command would then trigger the policy update and execute a malicious DLL of an attacker.

According to CyberArk, the steps for it exploitation of this error are the following:

  • Enter the GUID policy group you have in C: \ Users \ user \ AppData \ Local \ Microsoft \ Group Policy \ History \.
  • If you have a lot of GUID, check which directory has been updated recently.
  • Go to this directory and the sub-directory, which is the SID user.
  • Take a look at the latest modified list. This will be different in your environment.
  • Delete the file Printers.xml, in the printer catalog.
  • Create an NTFS attachment point in . RPC Control + an Object Manager symlink with Printers.xml being on C: \ Windows \ System32 \ everything.dll.
  • Open your favorite terminal and run gpupdate.

With standard users, without privileges, still able to create files in arbitrary locations, intruders can eventually exploit this error to escalate their privileges. As this error affects millions, if not billions, of computers, it is a serious security flaw that needs to be addressed by all Windows administrators as soon as possible. CyberArk revealed this error to Microsoft last June and Microsoft has now fixed it with its security updates. Patch Tuesday of June 2020.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


Ransomware is responsible for half of all data breaches in hospitals

Almost half of the data breaches committed in hospitals and the wider healthcare sector are due to ransomware attacks, ...

Astronomers have just found the oldest oversized black hole

A quasar was discovered in a dark corner of space - over 13,03 billion light-years away - and contains a ...

What are the best and most affordable 5G phones for 2021

The market will soon be flooded with mid-range 5G devices. Everything that happens will be really exciting: you will be able to ...

Verified Twitter accounts in a cryptocurrency scam with the name of Elon Musk violated!

Lately, hackers have been violating verified Twitter accounts in a cryptocurrency giveaway scam, in which the name of the CEO is used ...

Classiscam: Fraudsters "fake" brands and deceive users of European markets!

Dozens of criminal gangs publish fake ads in popular online markets, to attract unsuspecting users to "fraudulent" commercial sites or phishing ...

iOS 14.4: Displays a notification for repairs with non-genuine cameras

Starting with the iPhone 11, Apple has added a notification to iOS that tells the user when the device has a ...

Facebook: Sues Chrome extensions developers for data theft

Facebook has filed a lawsuit against two Portuguese nationals for developing Chrome extensions that collected data from Facebook users.

Cisco does not fix 74 bugs in RV routers that have reached their EOL

Cisco said yesterday that it will not release firmware updates to fix 74 vulnerabilities that have been reported in ...

Hacker commits new crimes while waiting for his release!

A Kosovo hacker was pardoned after his conviction. The hacker provided personally identifiable information over 1.000 ...

Nintendo rules out Game & Watch video hacking

Two copyright claims against a YouTuber have been filed by Nintendo, for a video showing hacking of Super Mario ...