UserManagerEoP / CVE-2024-21447

The ‎UserManager‏ ‎EoP ‎exploit ‎by ‎Wh04m1001 targets ‎a‏ ‎vulnerability ‎identified‏ ‎as‏ ‎CVE-2023-36047, ‎which ‎was‏ ‎later ‎tracked‏ ‎as ‎CVE-2024-21447 ‎after ‎additional‏ ‎fixes‏ ‎by ‎Microsoft.

UserManager‏ ‎EoP ‎Exploit

📌Vulnerability‏ ‎Discovery: The ‎exploit ‎was ‎discovered ‎by‏ ‎the‏ ‎repository ‎owner‏ ‎last ‎year‏ ‎and ‎affects ‎the ‎UserManager ‎service‏ ‎in‏ ‎Windows.

📌Nature‏ ‎of ‎Vulnerability: The‏ ‎flaw ‎involves‏ ‎the ‎UserManager‏ ‎service‏ ‎improperly ‎copying‏ ‎files ‎from ‎a ‎directory ‎that‏ ‎can ‎be‏ ‎controlled‏ ‎by ‎a ‎user,‏ ‎leading ‎to‏ ‎an ‎elevation ‎of ‎privilege‏ ‎(EoP).

📌Partial‏ ‎Fix ‎and‏ ‎Re-exploitation: Initially, ‎Microsoft‏ ‎addressed ‎only ‎the ‎write ‎aspect‏ ‎of‏ ‎the ‎file‏ ‎copy ‎operation.‏ ‎However, ‎the ‎read ‎operation ‎continued‏ ‎to‏ ‎be‏ ‎executed ‎with‏ ‎NT ‎AUTHORITY\SYSTEM‏ ‎privileges, ‎which‏ ‎was‏ ‎not ‎secured‏ ‎in ‎the ‎first ‎patch.

📌Exploit ‎Mechanism:‏ ‎The ‎exploit‏ ‎takes‏ ‎advantage ‎of ‎the‏ ‎unsecured ‎read‏ ‎operation ‎to ‎access ‎critical‏ ‎system‏ ‎files ‎like‏ ‎SAM, ‎SYSTEM,‏ ‎and ‎SECURITY ‎hives ‎from ‎a‏ ‎shadow‏ ‎copy.

📌Final ‎Resolution:‏ ‎The ‎vulnerability‏ ‎was ‎fully ‎addressed ‎by ‎Microsoft‏ ‎recently‏ ‎and‏ ‎is ‎now‏ ‎cataloged ‎under‏ ‎a ‎new‏ ‎identifier,‏ ‎CVE-2024-21447.

Code ‎Analysis

The‏ ‎GitHub ‎repository ‎contains ‎exploit ‎code‏ ‎that ‎demonstrates‏ ‎how‏ ‎to ‎manipulate ‎the‏ ‎UserManager ‎service’s‏ ‎file ‎handling ‎to ‎escalate‏ ‎privileges.

📌Identifying‏ ‎Vulnerable ‎Operations: Code‏ ‎to ‎identify‏ ‎and ‎target ‎the ‎specific ‎vulnerable‏ ‎read‏ ‎operation ‎performed‏ ‎by ‎the‏ ‎UserManager.

📌Exploiting ‎the ‎Flaw: Scripts ‎or ‎commands‏ ‎that‏ ‎manipulate‏ ‎the ‎file‏ ‎operations ‎to‏ ‎redirect ‎or‏ ‎access‏ ‎unauthorized ‎data.

📌Leveraging‏ ‎System ‎Privileges: Utilizing ‎the ‎elevated ‎privileges‏ ‎gained ‎from‏ ‎the‏ ‎exploit ‎to ‎perform‏ ‎unauthorized ‎actions,‏ ‎such ‎as ‎accessing ‎or‏ ‎modifying‏ ‎system ‎files‏ ‎and ‎settings.