Windows Group Policy Flaw allows attackers to gain Admin Privileges

Windows Group Policy Flaw allows attackers to gain Admin Privileges

Microsoft has fixed a vulnerability in all current versions of Windows that allows an attacker to exploit the Windows Group Policy feature to take full control over a computer. This vulnerability affects all versions of Windows including Windows Server 2008,7,8,8.1, and Windows 10.

Group Policy is a feature of  Microsoft Windows through which administrators can remotely manage all of the Windows devices on a network. Group Policy allows administrators to create a centralized global configuration policy for their organization that is pushed out to all of the Windows devices on their network.

These group policies allow administrators to control all computers in a network and also how a computer can be used, such as disabling settings in apps, prohibiting apps from running, enabling and disabling Windows features, and even deploying the same wallpaper and themes on every Windows computer. To check for new group policies, Windows devices utilize the 'Group Policy Client' service or 'gpsvc service' that will routinely connect to the domain controller and check for new group policy updates.

Windows Group Policy Flaw allows attackers to gain Admin Privileges
Group Policy Client Properties (Local Computer)

The gpsvc service is configured to run with 'SYSTEM' privileges to apply new policies, which provides the same rights and permissions as the Administrator account.

Group Policy Flaw lets attackers to Elevate Admin Privileges

On 06 March 2020, Microsoft released the patches for this vulnerability that allows a local attacker to run any command with administrative privileges. This vulnerability was discovered by the cybersecurity firm (CyberArk). CyberArk stated in their report that this vulnerability could impact any Windows machine (2008 or higher), to escalate its privileges in a domain environment. 

Group Policy update applies to all of the devices in an organization, Windows will write the new policies to a computer in a subfolder of the %LocalAppData% folder that any user, including a standard user, has permission to access files that are known to be used by a process with SYSTEM privileges. CyberArk discovered that they could create a Symlink (symbolic link) between the file to an RPC command that executes a DLL. As the gpsvc service runs with SYSTEM privileges, when they attempt to apply the policies in that file, it will instead execute any DLL the attackers want with SYSTEM privileges. 

How an attacker trigger this vulnerability

A local threat actor could execute the gpupdate.exe program, which performs a manual group policy synchronization. Further, this command would then trigger the policy update and run an attacker's malicious DLL. Steps to exploit this vulnerability by CyberArk :

Windows Group Policy Flaw allows attackers to gain Admin Privileges
Steps to exploit this vulnerability

Standard users with no privileges, still being able to create files in arbitrary locations by exploiting this vulnerability to escalate privilege. An attacker can also delete and modify system protected files by using this exploit. As this vulnerability affects millions of devices, it's a severe security flaw that should be addressed by all Windows administrators as soon as possible.

Does this article being helpful to you? Let us know your thoughts in the comments section and share it with us on Facebook, Twitter, or our LinkedIn Group.


Previous Post Next Post