A local privilege escalation (LPE) vulnerability that affects all Windows 7 and Server 2008 R2 devices was fixed today via the 0patch platform.
Zero-day affects all devices affected by Microsoft Extended Security Updates (ESU).
At present, only small and medium-sized enterprises or organizations with licensing agreements can obtain an ESU license until January 2023.
The LPE vulnerability comes from the incorrect configuration of two service registry keys and allows local attackers to increase their privileges on any fully updated Windows 7 and Server 2008 R2 system.
It was discovered by security researcher Clément Labro, who he published his research earlier this month, citing how the insecure rights at wrenches registry
HKLM \ SYSTEM \ CurrentControlSet \ Services \ Dnscache and HKLM \ SYSTEM \ CurrentControlSet \ Services \ RpcEptMapper
allow intruders to defraud the RPC Endpoint Mapper service to load malicious DLLs.
This allows them to obtain arbitrary code execution within the service Windows Management Instrumentation (WMI) executed with rights LOCAL SYSTEM.
“In short, a local user who is not Admin at computer δημιουργεί ένα δευτερεύον κλειδί, το συμπληρώνει με ορισμένες τιμές και ενεργοποιεί την monitoring of performance, which drives a local system process (WmiPrvSE.exe) to load into the intruder DLL and run code from it, ”says Mitja Kolsek.
Free update for all affected Windows systems
0patch updates are sent through the 0patch platform to Windows clients for real-time security fixes and are applied to current processes without requiring a system reboot.
This micropatch is available to everyone for free until Microsoft releases a formal bug fix and troubleshooting bad registry license.
The micropatch "sabotages" them functions performance monitoring for the two affected services, Dnsclient and RpcEptMapper,” 0patch reports.
Source code of the micropatch. It simply sabotages performance monitoring operations for the two affected services, Dnsclient and RpcEptMapper. (If perf monitoring is needed, the micropatch can be temporarily disabled.) pic.twitter.com/pbqtyzIzgt
- 0patch (@ 0patch) November 25, 2020
Below is a video showing how to block exploit: