Tuesday, October 15, 2024
HomeCVE/vulnerabilityMicrosoft Xbox Gaming Services Flaw Let Attackers Gain SYSTEM Privileges

Microsoft Xbox Gaming Services Flaw Let Attackers Gain SYSTEM Privileges

Published on

Malware protection

A new elevation of privilege vulnerability has been discovered in the Xbox Gaming services that allow a threat actor to elevate their privileges to that of a SYSTEM.

This particular vulnerability has been assigned CVE-2024-28916, and its severity has been given as 8.8 (High).

When this was reported to Microsoft, the researcher got a response stating “no security boundary is being broken here”.

- Advertisement - SIEM as a Service

However, Microsoft has patched this vulnerability after it has been clarified that the vulnerability allows a non-admin user to gain SYSTEM privileges.

Microsoft’s response (Source: GitHub/Wh04m1001)

Microsoft Xbox Gaming Services – CVE-2024-28916

According to the reports shared with Cyber Security News, the GamingService is not a default service but if it is installed on any system, it can be utilized by a low privileged user to escalate their privileges to SYSTEM.

When the Gaming Services service’s directory change occurs, it will attempt to open the C:\XboxGames\GameSave\Content\MicrosoftGame.Config file by using the attempting user’s privilege.

If the file is present, the Gaming Service will move the whole C:\XboxGames\GameSave folder via MoveFileW API call.

However, if this attempt is failed due to access denied error, the Gaming Service will elevate its permission to that of SYSTEM and perform the move operation.

To add an interesting note, the C:\XboxGames folder can be modified by any authenticated users group. 

Suppose any user does not have the privilege to modify this folder. In that case, they can still exploit this by changing the directory location to any user controlled directory and perform this operation by the following actions:

  • Deleting the C:\XboxGames folder,
  • Creating a new folder under the same name,
  • Drop arbitrary DLL files inside the C:\XboxGames\GameSave folder
  • Add “deny delete” ACL to the folder that will result in operation being failed attempting to escalate the privilege.

Patch And Bypass

After reviewing this vulnerability, Microsoft patched it by adding a few mitigations and checks before moving the folder. The checks involve 

  • checking the destination folder in reparse point and 
  • lockdown implementation on both source and destination directory by creating a temporary file (.tmp_ + digit) with FILE_FLAG_DELETE_ON_CLOSE flag which is also prevented from deletion.

The researcher stated that this patch was flawed as the check for junction was being done before locking the directory.

This could allow a user to trick the service that the new installation directory is safe and attempt to redirect it to the C:\Windows\System32\Spool\Drivers\x64 directory.

The time window can be extended by creating multiple temporary files as the service specifies CREATE_ALWAYS, and the creation will fail to create the file if it exists.

This will continue to increase the temporary file digits until a file is successfully created. 

A proof of concept for this vulnerability has been published which abuses the spooler service to load arbitrary DLL as SYSTEM.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...