HomeCyber BalkansLegacyHive Windows Zero-Day Allows Attackers to Take Control of Administrator Registry Hives

LegacyHive Windows Zero-Day Allows Attackers to Take Control of Administrator Registry Hives

Published on

spot_img

A recently uncovered security vulnerability in Windows systems, termed LegacyHive, has raised significant alarms in the cybersecurity community. This local privilege escalation flaw enables a standard user to manipulate the per-user registry classes hive associated with an administrator account. The implications of this could be severe, offering potential pathways for malicious actors to exploit a system compromised by ordinary user credentials.

The vulnerability’s existence was revealed through a proof-of-concept (PoC) published by the researcher known as NightmareEclipse on GitHub. The repository, titled MSNightmare/LegacyHive, demonstrates how the Windows User Profile Service can be abused to load a target user’s UsrClass.dat hive into a registry location accessible to users with lower privileges. This document outlines the mechanics of this exposure and its ongoing risks.

Understanding LegacyHive: A New Zero-Day Threat

According to the information provided in the GitHub README, the LegacyHive vulnerability affects all currently supported Windows desktop and Server installations, including those updated with Microsoft’s July 2023 security patches. Currently, no Common Vulnerabilities and Exposures (CVE), Microsoft advisories, or vendor-issued fixes have been assigned to this issue.

The PoC was developed in C++ and made available under an MIT license. The creator has deliberately limited the public code’s functionality to minimize immediate risk of exploitation, focusing specifically on loading UsrClass.dat—a registry hive integral to user-specific configurations like file associations and COM registrations.

To exploit the vulnerability, a malicious user requires local access to another standard user’s credentials and must know the username of a target account, which could potentially be an administrator. Once executed successfully, the tool allows the target account’s classes registry hive to be mounted under the current user’s classes root, fundamentally altering the permissions assigned by the system.

Vulnerability researcher Will Dormann has independently validated this behavior, documenting that new registry keys were observed under HKEY_USERS while the LegacyHive was operational. His findings confirmed that a non-administrative user could access the classes hive of the administrator, which poses considerable risk.

Security Risks and Potential Exploits

The ability for a standard user to change the registry configurations of a privileged account offers numerous avenues for the reconfiguration of how applications, files, and COM components behave on a system. Dormann’s tests exemplified this by changing the .txt file association for the administrator user to open in Calculator instead of the intended application. While this specific manipulation may seem harmless, it demonstrates the underlying vulnerabilities that can be exploited to alter protected settings.

Much more nefarious uses of this exploit could involve modifying COM object registrations invoked when an administrator logs in. An attack with this trajectory could lead to code execution under the administrator’s security context, representing an escalation from merely having access as a low-privileged user to completely taking control of an administrative session. Such findings spotlight the urgent need for organizations to address this vulnerability proactively.

Further investigations into the flaw suggest that the core issue lies within the privilege handling mechanisms of the User Profile Service (ProfSvc). When the service tries to open the targeted administrator’s UsrClass.dat file while impersonating the standard user, it encounters an access denied error. However, upon retrying under NT AUTHORITY\SYSTEM, it manages to successfully access the protected file and displays the loaded hive in a manner that remains accessible to the non-admin user.

Recommended Mitigation Strategies

Organizations must regard LegacyHive as a potentially high-impact risk, especially within environments that involve shared endpoints or where administrators perform interactive logins on servers. Until Microsoft releases guidance or a suitable patch, several defensive strategies are advisable. These include:

  • Restricting Local Access: Ensuring that standard users are not granted unnecessary local access to other users’ credentials.
  • Monitoring User Activity: Keeping an eye on unusual activity within the ProfSvc and unexpected hive mounts under HKEY_USERS.
  • Investigating Changes: Scrutinizing any modifications to user-level COM registrations and file associations linked to privileged accounts.

In summary, LegacyHive introduces a critical level of risk, underscoring the importance of vigilant cybersecurity practices and prompt remedial measures in environments susceptible to privilege escalation attacks. As the cybersecurity landscape continually evolves, timely awareness and proactive strategies will remain essential in safeguarding sensitive systems and accounts.

Source link

Latest articles

Government Updates UK National Risk Register with Cyber Warnings

The UK government has taken significant steps to address evolving threats in the realm...

Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker; Lawyers Claim Misidentification

Armenian authorities have detained a Russian national named Aleksandr Ermakov at the request of...

SANS Highlights AI Governance Gap Amid Rising Security Team Usage

AI Integration in Cybersecurity: Balancing Confidence with Deployment Challenges In recent developments within the cybersecurity...

AI Has Evolved from Assistant to Operator, Warns Check Point Research

AI's Evolving Role in Cyberattacks: Insights from Check Point Research's Annual Security Report Check Point...

More like this

Government Updates UK National Risk Register with Cyber Warnings

The UK government has taken significant steps to address evolving threats in the realm...

Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker; Lawyers Claim Misidentification

Armenian authorities have detained a Russian national named Aleksandr Ermakov at the request of...

SANS Highlights AI Governance Gap Amid Rising Security Team Usage

AI Integration in Cybersecurity: Balancing Confidence with Deployment Challenges In recent developments within the cybersecurity...