Microsoft has fixed a vulnerability in all current Windows versions that allows an attacker to exploit the Windows Group Policy feature to take full control over a computer. This vulnerability affects all Windows versions since Windows Server 2008.

Windows administrators can remotely manage all of the Windows devices on a network through the Group Policy feature. This feature allows administrators to create a centralized global configuration policy for their organization that is pushed out to all of the Windows devices on their network.

These policies allow an administrator to control how a computer can be used, such as disabling settings in apps, prohibiting apps from running, enabling and disabling Windows features, and even deploying the same wallpaper on every Windows computer.

 To check for new group policies, Windows devices utilize the 'Group Policy Client' service, or 'gpsvc,' that will routinely connect to the domain controller and check for new group policies updates.

If any are found, they apply them to the local system so that they are properly enforced as desired.

o properly apply these new policies, the gpsvc service is configured to run with 'SYSTEM' privileges, which provides the same rights and permissions as the Administrator account.

Group Policy Client service lets attackers elevate privileges

As part of today's Patch Tuesday security updates, Microsoft has fixed the 'CVE-2020-1317 | Group Policy Elevation of Privilege Vulnerability' that allows a local attacker to run any command with administrative privileges.

This vulnerability was discovered by cybersecurity firm CyberArk, who found a symlink attack against a file used for Group Policy updates to gain elevated privileges.

"This vulnerability permits an unprivileged user in a domain environment to perform a file system attack which in turn would allow malicious users to evade anti-malware solutions, bypass security hardening and could lead to severe damage in an organizations network. This vulnerability could impact any Windows machine (2008 or higher), to escalate its privileges in a domain environment," CyberArk state in their report.

When performing a group policy update that applies to all of the devices in an organization, Windows will write the new policies to a computer in a subfolder of the %LocalAppData% folder that any user, including a standard user, has permission.

For example, if the organizational policy were related to printers, it would be saved in:

C:\Users\[user]\AppData\Local\Microsoft\Group Policy\History{szGPOName}\USER-SID\Preferences\Printers\Printers.xml

Having full access to a file that is known to be used by a process with SYSTEM privileges, CyberArk discovered that they could create a symbolic link between the file to an RPC command that executes a DLL.

As the Group Policy Client service runs with SYSTEM privileges, when they attempt to apply the policies in that file, it will instead execute any DLL the attackers want with SYSTEM privileges.

To trigger this vulnerability, a local attacker could execute the gpupdate.exe program, which performs a manual group policy synchronization. This command would then trigger the policy update and run an attacker's malicious DLL.

According to CyberArk, the full steps to exploit this vulnerability would be as follows:

  1. List the group policy GUIDs you have in C:\Users\user\AppData\Local\Microsoft\Group Policy\History\
  2. If you have multiple GUIDs check which directory was updated recently
  3. Go inside this directory and into the sub-directory, which is the user SID.
  4. Look at the latest modified directory; this will vary in your environment. In my case, it was the Printers directory.
  5. Delete the file, Printers.xml, inside the Printers directory.
  6. Create an NTFS mount point to \RPC Control + an Object Manager symlink with Printers.xml that points on C:\Windows\System32\whatever.dll
  7. Open your favorite terminal and run gpupdate.

With standard users, with no privileges, still being able to create create files in arbitrary locations, attackers are ultimately able to exploit this vulnerability to escalate their privileges.

"There you have it; an arbitrary create on arbitrary locations, you can also delete and modify system protected files by using this exploit. There is a small change in behavior that goes on based on your GPO objects (printers, devices, drives). Alas, all of them end up in EoP," CyberArk explains.

As this vulnerability affects millions, if not potentially a billion devices, it's a severe security flaw that should be addressed by all Windows administrators as soon as possible.

CyberArk disclosed this vulnerability to Microsoft on June 17th, 2019, and Microsoft fixed it today in their June 2020 Patch Tuesday security updates.