HomesecurityWindows Group Policy: Error allows intruders to gain administrator rights

Windows Group Policy: Error allows intruders to gain administrator rights

Η Microsoft products corrected an error found in all current publications and allows intruders to take advantage of Windows Group Policy to gain full control of a computer. This error found in Windows Group Policy affects all versions of Windows from Windows Server 2008 onwards. Windows administrators can handle all of them remotely Appliances Windows on a network through the "Group Policy" feature. In particular, this feature allows administrators to create a centralized global configuration policy for their organization, which is forwarded to all Windows devices on their network. These policies allow an administrator to control how a computer can be used, such as disabling settings in applications, banning applications, enabling and disabling Windows functions, and even developing the same wallpaper on any Windows computer.

To control new Windows group policies, Windows devices use it service "Group Policy Client" or "gpsvc" that will be regularly connected to the domain controller and will check for new updates group policies. For the proper implementation of these new group policies, the "gpsvc" service is configured to operate with "SYSTEM" privileges, which provide the same permissions and permissions as the administrator account.

The Group Policy Client service allows intruders to escalate privileges
As part of the updates security of Patch Tuesday, June 2020, Microsoft has fixed CVE-2020-1317 (privilege scaling error in Group Policy) that allows local intruders to execute any command with administrator privileges. This bug was discovered by the cybersecurity company CyberArk, which identified an attack on symlink, in a file used for group policy updates to gain increased privileges. This error could affect any Windows computer (2008 or later). When you run a policy group update that applies to all devices on an organization, Windows will write the new policies on a computer in a folder subfolder.% LocalAppData%, for which each user, including a typical user, is licensed. For example, if the policy is related to printers, it will be stored in: C: \ Users \ [user] \ AppData \ Local \ Microsoft \ Group Policy \ History {szGPOName. \ USER-SID \ Preferences \ Printers \ Printers.xml. Having full access in a file known to be used by a "SYSTEM" privileged process, CyberArk discovered that they could create a symbolic link between the file in an RPC command running a DLL.

As the Group Policy Client service operates with "SYSTEM" permissions, when they attempt to enforce the policies in this file, it will instead execute any DLL that the intruders want with "SYSTEM" permissions. To activate this error, local intruders could run gpupdate.exe, which manually synchronizes Group Policy. This command would then trigger the policy update and execute a malicious DLL of an attacker.

According to CyberArk, the steps for it exploitation of this error are the following:

  • Enter the GUID policy group you have in C: \ Users \ user \ AppData \ Local \ Microsoft \ Group Policy \ History \.
  • If you have a lot of GUID, check which directory has been updated recently.
  • Go to this directory and the sub-directory, which is the SID user.
  • Take a look at the latest modified list. This will be different in your environment.
  • Delete the file Printers.xml, in the printer catalog.
  • Create an NTFS attachment point in . RPC Control + an Object Manager symlink with Printers.xml being on C: \ Windows \ System32 \ everything.dll.
  • Open your favorite terminal and run gpupdate.

With standard users, without privileges, still able to create files in arbitrary locations, intruders can eventually exploit this error to escalate their privileges. As this error affects millions, if not billions, of computers, it is a serious security flaw that needs to be addressed by all Windows administrators as soon as possible. CyberArk revealed this error to Microsoft last June and Microsoft has now fixed it with its security updates. Patch Tuesday of June 2020.

Every accomplishment starts with the decision to try.