UserManagerEoP / CVE-2024-21447
The UserManager EoP exploit by Wh04m1001 targets a vulnerability identified as CVE-2023-36047, which was later tracked as CVE-2024-21447 after additional fixes by Microsoft.
UserManager EoP Exploit
📌Vulnerability Discovery: The exploit was discovered by the repository owner last year and affects the UserManager service in Windows.
📌Nature of Vulnerability: The flaw involves the UserManager service improperly copying files from a directory that can be controlled by a user, leading to an elevation of privilege (EoP).
📌Partial Fix and Re-exploitation: Initially, Microsoft addressed only the write aspect of the file copy operation. However, the read operation continued to be executed with NT AUTHORITY\SYSTEM privileges, which was not secured in the first patch.
📌Exploit Mechanism: The exploit takes advantage of the unsecured read operation to access critical system files like SAM, SYSTEM, and SECURITY hives from a shadow copy.
📌Final Resolution: The vulnerability was fully addressed by Microsoft recently and is now cataloged under a new identifier, CVE-2024-21447.
Code Analysis
The GitHub repository contains exploit code that demonstrates how to manipulate the UserManager service’s file handling to escalate privileges.
📌Identifying Vulnerable Operations: Code to identify and target the specific vulnerable read operation performed by the UserManager.
📌Exploiting the Flaw: Scripts or commands that manipulate the file operations to redirect or access unauthorized data.
📌Leveraging System Privileges: Utilizing the elevated privileges gained from the exploit to perform unauthorized actions, such as accessing or modifying system files and settings.