Zero-day bug in Windows 7 and Windows Server 2008
A local privilege escalation (LPE) vulnerability that affects all Windows 7 and Server 2008 R2 devices was fixed today via the 0patch platform.
Zero-day affects all devices affected by Microsoft Extended Security Updates (ESU).
At present, only small and medium-sized enterprises or organizations with licensing agreements can obtain an ESU license until January 2023.
The LPE vulnerability comes from the incorrect configuration of two service registry keys and allows local attackers to increase their privileges on any fully updated Windows 7 and Server 2008 R2 system.
It was discovered by security researcher Clément Labro, who he published his research earlier this month, stating how insecure rights in registry keys
HKLM \ SYSTEM \ CurrentControlSet \ Services \ Dnscache and HKLM \ SYSTEM \ CurrentControlSet \ Services \ RpcEptMapper
allow intruders to defraud the RPC Endpoint Mapper service to load malicious DLLs.
This allows them to obtain arbitrary code execution within the service Windows Management Instrumentation (WMI) executed with rights LOCAL SYSTEM.
"In short, a local user who is not an administrator on the computer generates a subkey, completes it with certain values, and enables performance monitoring, which drives a local system process (WmiPrvSE.exe) to load into the intruder DLL and run code from it, ”says Mitja Kolsek.
Free update for all affected Windows systems
0patch updates are sent through the 0patch platform to Windows clients for real-time security fixes and are applied to current processes without requiring a system reboot.
This micropatch is available to everyone for free until Microsoft releases a formal bug fix and troubleshooting bad registry license.
The micropatch "sabotages the performance monitoring features for the two affected services, Dnsclient and RpcEptMapper," says 0patch.
Source code of the micropatch. It simply sabotages performance monitoring operations for the two affected services, Dnsclient and RpcEptMapper. (If perf monitoring is needed, the micropatch can be temporarily disabled.) pic.twitter.com/pbqtyzIzgt
- 0patch (@ 0patch) November 25
Below is a video showing how to block exploit: