A new elevation of privilege vulnerability has been discovered in the Xbox Gaming services that allow a threat actor to elevate their privileges to that of a SYSTEM.
This particular vulnerability has been assigned CVE-2024-28916, and its severity has been given as 8.8 (High).
When this was reported to Microsoft, the researcher got a response stating “no security boundary is being broken here”.
However, Microsoft has patched this vulnerability after it has been clarified that the vulnerability allows a non-admin user to gain SYSTEM privileges.
.webp)
Microsoft Xbox Gaming Services – CVE-2024-28916
According to the reports shared with Cyber Security News, the GamingService is not a default service but if it is installed on any system, it can be utilized by a low privileged user to escalate their privileges to SYSTEM.
When the Gaming Services service’s directory change occurs, it will attempt to open the C:\XboxGames\GameSave\Content\MicrosoftGame.Config file by using the attempting user’s privilege.
If the file is present, the Gaming Service will move the whole C:\XboxGames\GameSave folder via MoveFileW API call.
However, if this attempt is failed due to access denied error, the Gaming Service will elevate its permission to that of SYSTEM and perform the move operation.
To add an interesting note, the C:\XboxGames folder can be modified by any authenticated users group.
Suppose any user does not have the privilege to modify this folder. In that case, they can still exploit this by changing the directory location to any user controlled directory and perform this operation by the following actions:
- Deleting the C:\XboxGames folder,
- Creating a new folder under the same name,
- Drop arbitrary DLL files inside the C:\XboxGames\GameSave folder
- Add “deny delete” ACL to the folder that will result in operation being failed attempting to escalate the privilege.
Patch And Bypass
After reviewing this vulnerability, Microsoft patched it by adding a few mitigations and checks before moving the folder. The checks involve
- checking the destination folder in reparse point and
- lockdown implementation on both source and destination directory by creating a temporary file (.tmp_ + digit) with FILE_FLAG_DELETE_ON_CLOSE flag which is also prevented from deletion.
The researcher stated that this patch was flawed as the check for junction was being done before locking the directory.
This could allow a user to trick the service that the new installation directory is safe and attempt to redirect it to the C:\Windows\System32\Spool\Drivers\x64 directory.
The time window can be extended by creating multiple temporary files as the service specifies CREATE_ALWAYS, and the creation will fail to create the file if it exists.
This will continue to increase the temporary file digits until a file is successfully created.
A proof of concept for this vulnerability has been published which abuses the spooler service to load arbitrary DLL as SYSTEM.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
