An unpatched local privilege escalation (LPE) vulnerability affecting all Windows 7 and Server 2008 R2 devices received a free and temporary fix today through the 0patch platform.
The zero-day bug affects all impacted devices, enrolled in Microsoft’s Extended Security Updates (ESU) program or not until the company will release its own security updates to ESU customers.
0patch’s free micropatch is targeting Windows 7 and Server 2008 R2 computers without ESU (updated to January 2020) and those with ESU (updated to November 2020).
At the moment, only small-and-midsize businesses or organizations with volume-licensing agreements can get an ESU license until January 2023.
From registry misconfiguration to zero-day
The LPE vulnerability stems from the misconfiguration of two service registry keys and it enables local attackers to elevate their privileges on any fully patched Windows 7 and Server 2008 R2 system.
It was discovered by security researcher Clément Labro who published his research earlier this month detailing how insecure permissions on the HKLM\SYSTEM\CurrentControlSet\Services\Dnscache and HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper registry keys allow attackers to trick the RPC Endpoint Mapper service to load malicious DLLs.
This enables them to gain arbitrary code execution in the context of the Windows Management Instrumentation (WMI) service which runs with LOCAL SYSTEM permissions.
“In short, a local non-admin user on the computer just creates a Performance subkey in one of the above keys, populates it with some values, and triggers performance monitoring, which leads to a Local System WmiPrvSE.exe process loading attacker’s DLL and executing code from it,” as 0patch co-founder Mitja Kolsek explained.
“At this point, if you are still using Windows 7 / Server 2008 R2 without isolating these machines properly in the network first, then preventing an attacker from getting SYSTEM privileges is probably the least of your worries,” Labro said.
Free micropatch for all affected Windows systems
0patch micropatches are code sent through the 0patch platform to Windows clients to patch security issues in real-time and applied to running processes without requiring a system restart.
This micropatch is available for free to everyone until Microsoft releases an official fix for the zero-day to address the registry bad permission issues.
The micropatch “sabotages performance monitoring operations for the two affected services, Dnsclient and RpcEptMapper”, 0patch says.
“In case performance monitoring is needed for these services, the micropatch can always be temporarily disabled (again, no restart of the service, much less of the computer, is needed for that),” Kolsek added.