Microsoft Fixes LPE Vulnerability Impacting Windows 7 and Server 2008
Microsoft quietly patched a local privilege escalation (LPE) flaw that affects both Windows 7 and Server 2008 R2 computers. This LPE flaw (which has yet to be assigned a CVE ID) is caused by a misconfiguration of two service registry keys, and it enables local attackers to escalate privileges on fully patched devices.
On Windows 7 and Windows Server 2008R2, security researcher Clément Labro discovered that insecure permissions on the registry keys of the RpcEptMapper and DnsCache services enable attackers to trick the RPC Endpoint Mapper service into loading malicious DLLs. Attackers can execute arbitrary code in the sense of the Windows Management Instrumentation (WMI) service, which runs with LOCAL SYSTEM permissions, by leveraging this flaw.
“In short, a local non-admin user on the computer just creates a Performance subkey in one of the above keys, populates it with some values, and triggers performance monitoring, which leads to a Local System WmiPrvSE.exe process loading attacker’s DLL and executing code from it,” 0patch co-founder Mitja Kolsek explained when the flaw was first announced as a zero-day in November.
Labro said he discovered the zero-day after releasing an update to PrivescCheck, a method for checking basic Windows protection misconfigurations that can be used by malware for privilege escalation. Labro said he didn’t realize the latest tests were highlighting an unpatched privilege escalation process until he started looking at a series of warnings that appeared days after the update on older systems like Windows 7.
Both Windows 7 and Windows Server 2008 R2 had passed their end-of-life (EOL) deadlines, and Microsoft had stopped offering free software patches for them. While the company’s ESU (Extended Support Updates) paid support service included some security updates for Windows 7 users, no patch for this problem was announced at the time.
Although Microsoft quietly solved the RpcEptMapper registry key vulnerability (as discovered by 0patch) in the April 2021 Windows Updates (ESU) release by modifying permissions for groups Authenticated Users and Users to no longer require ‘Create Subkey,’ the organization has yet to resolve the DnsCache vulnerability. Since February, an open-source exploit tool for the Windows 7 / 2008R2 RpcEptMapper registry key vulnerability has been available.
However, “at this point, if you are still using Windows 7 / Server 2008 R2 without isolating these machines properly in the network first, then preventing an attacker from getting SYSTEM privileges is probably the least of your worries,” as Labro said.