Windows 0-day drops the same day Microsoft releases record number of patches





NIGHTMARE ECLIPSE STRIKES AGAIN

Windows 0-day drops the same day Microsoft releases record number of patches

HiveLegacy is a “powerful primitive” that’s likely capable of other nefarious actions.


Dan Goodin




|

8





Credit:

Getty Images


Credit:

Getty Images




Story text








Right on the heels of Microsoft releasing a record number of security patches, a researcher has published exploit code that can enable low-privilege Windows accounts to make sensitive changes to administrator accounts.

The exploit, which multiple researchers say works, is sending Microsoft scrambling, yet again, to patch a zero-day released by an anonymous researcher who has complained about the software maker’s handling of their bug reports. To date, the pseudonymous NightmareEclypse has published nine such exploits, including Tuesday’s HiveLegacy. The researcher said the proof-of-concept code included in the report was stripped down to prevent attackers from using it maliciously.

A “pretty powerful primitive”

HiveLegacy is an elevation-of-privilege exploit that targets a vulnerability residing in the Windows User Profile Service. It allows users (and with more work likely processes) with limited system rights to compromise an admin user’s account by modifying its classes registry hive, a resource that ensures the correct application opens when certain types of files are clicked on in Windows Explorer.

At a minimum, that means the attacker can modify the Windows registry associated with an administrator account. As written, the exploit requires the attacker to know another user’s credentials. The account need not be admin. An attacker must also know the username of a third account, also with or without admin status, on the machine.

“If I can set up the system so that it runs my code when the admin user logs in,” the attacker has de facto administrator privileges, Will Dormann, a senior principal vulnerability analyst at Tharros Labs, said in an interview. “I don’t need to be an admin myself.”

In a post, he said that “the ability of a non-admin user to be able to modify the classes registry hive of an admin user is a pretty powerful primitive. Clever attackers or people who want to accomplish something will easily be able to figure out how to do things that are more interesting and/or don’t even require user interaction.”

Dormann said that the exploit could possibly be chained to a separate one that gives direct access to an administrative account.

As explained in a post by a different analyst: “When a new user is logging on, Windows needs to load the user’s class hive. Since the user isn’t logged on before logging on (tautology, I know), it can’t be loaded in the context of the user. So it is loaded in the context of NT AUTHORITY\SYSTEM. LegacyHive abuses this.”

In an emailed statement, Microsoft said it’s aware of the vulnerability report and is investigating. The company also noted its preference that vulnerability reporters follow a coordinated disclosure policy.

For now, Windows users who want to protect their systems against HiveLegacy can run a detection script published by independent researcher Kevin Beaumont. Other defenses are to restrict local non-user account creation, monitor ProfSvc for unexpected hive loads, and track NTUSER.DAT/UsrClass.dat activity.

Photo of Dan Goodin


Dan Goodin

Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.


8 Comments

Leer artículo original en Ars Technica