Wednesday, January 15, 2025
HomeCVE/vulnerabilityMicrosoft Xbox Gaming Services Flaw Let Attackers Gain SYSTEM Privileges

Microsoft Xbox Gaming Services Flaw Let Attackers Gain SYSTEM Privileges

Published on

A new elevation of privilege vulnerability has been discovered in the Xbox Gaming services that allow a threat actor to elevate their privileges to that of a SYSTEM.

This particular vulnerability has been assigned CVE-2024-28916, and its severity has been given as 8.8 (High).

When this was reported to Microsoft, the researcher got a response stating “no security boundary is being broken here”.

However, Microsoft has patched this vulnerability after it has been clarified that the vulnerability allows a non-admin user to gain SYSTEM privileges.

Microsoft’s response (Source: GitHub/Wh04m1001)

Microsoft Xbox Gaming Services – CVE-2024-28916

According to the reports shared with Cyber Security News, the GamingService is not a default service but if it is installed on any system, it can be utilized by a low privileged user to escalate their privileges to SYSTEM.

When the Gaming Services service’s directory change occurs, it will attempt to open the C:\XboxGames\GameSave\Content\MicrosoftGame.Config file by using the attempting user’s privilege.

If the file is present, the Gaming Service will move the whole C:\XboxGames\GameSave folder via MoveFileW API call.

However, if this attempt is failed due to access denied error, the Gaming Service will elevate its permission to that of SYSTEM and perform the move operation.

To add an interesting note, the C:\XboxGames folder can be modified by any authenticated users group. 

Suppose any user does not have the privilege to modify this folder. In that case, they can still exploit this by changing the directory location to any user controlled directory and perform this operation by the following actions:

  • Deleting the C:\XboxGames folder,
  • Creating a new folder under the same name,
  • Drop arbitrary DLL files inside the C:\XboxGames\GameSave folder
  • Add “deny delete” ACL to the folder that will result in operation being failed attempting to escalate the privilege.

Patch And Bypass

After reviewing this vulnerability, Microsoft patched it by adding a few mitigations and checks before moving the folder. The checks involve 

  • checking the destination folder in reparse point and 
  • lockdown implementation on both source and destination directory by creating a temporary file (.tmp_ + digit) with FILE_FLAG_DELETE_ON_CLOSE flag which is also prevented from deletion.

The researcher stated that this patch was flawed as the check for junction was being done before locking the directory.

This could allow a user to trick the service that the new installation directory is safe and attempt to redirect it to the C:\Windows\System32\Spool\Drivers\x64 directory.

The time window can be extended by creating multiple temporary files as the service specifies CREATE_ALWAYS, and the creation will fail to create the file if it exists.

This will continue to increase the temporary file digits until a file is successfully created. 

A proof of concept for this vulnerability has been published which abuses the spooler service to load arbitrary DLL as SYSTEM.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Aembit Announces Speaker Lineup for the Inaugural NHIcon

Aembit, the non-human identity and access management (IAM) company, unveiled the full agenda for...

Sweet Security Introduces Patent-Pending LLM-Powered Detection Engine, Reducing Cloud Detection Noise to 0.04%

Sweet Security, a leader in cloud runtime detection and response, today announced the launch...

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

Hackers Exploiting Fortinet Zero-day Vulnerability In Wild To Gain Super-Admin Privileges

A critical zero-day vulnerability in Fortinet's FortiOS and FortiProxy products is being actively exploited...