Sunday, May 19, 2024

Microsoft Xbox Gaming Services Flaw Let Attackers Gain SYSTEM Privileges

A new elevation of privilege vulnerability has been discovered in the Xbox Gaming services that allow a threat actor to elevate their privileges to that of a SYSTEM.

This particular vulnerability has been assigned CVE-2024-28916, and its severity has been given as 8.8 (High).

When this was reported to Microsoft, the researcher got a response stating “no security boundary is being broken here”.

However, Microsoft has patched this vulnerability after it has been clarified that the vulnerability allows a non-admin user to gain SYSTEM privileges.

Microsoft’s response (Source: GitHub/Wh04m1001)

Microsoft Xbox Gaming Services – CVE-2024-28916

According to the reports shared with Cyber Security News, the GamingService is not a default service but if it is installed on any system, it can be utilized by a low privileged user to escalate their privileges to SYSTEM.

When the Gaming Services service’s directory change occurs, it will attempt to open the C:\XboxGames\GameSave\Content\MicrosoftGame.Config file by using the attempting user’s privilege.

If the file is present, the Gaming Service will move the whole C:\XboxGames\GameSave folder via MoveFileW API call.

However, if this attempt is failed due to access denied error, the Gaming Service will elevate its permission to that of SYSTEM and perform the move operation.

To add an interesting note, the C:\XboxGames folder can be modified by any authenticated users group. 

Suppose any user does not have the privilege to modify this folder. In that case, they can still exploit this by changing the directory location to any user controlled directory and perform this operation by the following actions:

  • Deleting the C:\XboxGames folder,
  • Creating a new folder under the same name,
  • Drop arbitrary DLL files inside the C:\XboxGames\GameSave folder
  • Add “deny delete” ACL to the folder that will result in operation being failed attempting to escalate the privilege.

Patch And Bypass

After reviewing this vulnerability, Microsoft patched it by adding a few mitigations and checks before moving the folder. The checks involve 

  • checking the destination folder in reparse point and 
  • lockdown implementation on both source and destination directory by creating a temporary file (.tmp_ + digit) with FILE_FLAG_DELETE_ON_CLOSE flag which is also prevented from deletion.

The researcher stated that this patch was flawed as the check for junction was being done before locking the directory.

This could allow a user to trick the service that the new installation directory is safe and attempt to redirect it to the C:\Windows\System32\Spool\Drivers\x64 directory.

The time window can be extended by creating multiple temporary files as the service specifies CREATE_ALWAYS, and the creation will fail to create the file if it exists.

This will continue to increase the temporary file digits until a file is successfully created. 

A proof of concept for this vulnerability has been published which abuses the spooler service to load arbitrary DLL as SYSTEM.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Website

Latest articles

Hackers Exploiting Docusign With Phishing Attack To Steal Credentials

Hackers prefer phishing as it exploits human vulnerabilities rather than technical flaws which make...

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles