Researcher accidentally found 0-day bug in Windows 7 and Windows Server 2008

0-day bug in Windows 7

French cybersecurity researcher Clément Labro was working on a security tool when he discovered that Windows 7 and Windows Server 2008 R2 were vulnerable to a 0-day local privilege escalation bug.

The expert writes that the vulnerability lies in two incorrectly configured registry keys for RPC Endpoint Mapper and DNSCache, which are part of all Windows installations:

  • HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
  • HKLM\SYSTEM\CurrentControlSet\Services\Dnscache

For example, an attacker who has already entered the system can change these keys in such a way as to activate the subkey that is used for Windows Performance Monitoring.

This mechanism is used to monitor the performance of applications, and also allows developers to load their own DLL files to track their performance using special tools.

Although the latest versions of Windows typically load DLLs with limited privileges, Windows 7 and Windows Server 2008 can still load custom DLLs that will eventually run with SYSTEM privileges.writes Clément Labro.

Most researchers privately report serious security issues to Microsoft as soon as they were discovered, but in Labro’s case, it was too late. The fact is that the researcher found the problem after he released an update for his PrivescCheck tool, which is used to identify incorrect Windows security settings (they can be abused by malware to elevate privileges).

Thus, a new set of checks for privilege escalation methods has been added to the PrivescCheck update. Labro writes that he did not realize at the time that these checks reveal a new, unpatched way of elevating privileges.

After a few days after the release I started analysing the strange warnings that appeared on older systems such as Windows 7. Unfortunately, it was too late at that time to report the issue privately, so I just disclosed the details of the vulnerability I found on my blog.said Clément Labro.

Since support for Windows 7 and Windows Server 2008 R2 has long been discontinued, Microsoft has mostly stopped releasing security updates for these operating systems. Some updates are still available for Windows 7 users through the paid ESU (Extended Support Updates) program, but any fixes for the problem Labro found there either.

So far, only an unofficial micropatch from Acros Security, which develops 0pach, is available for users of older operating systems. Let me remind you that 0patch is a platform designed just for such situations, as fixing 0-day and other unpatched vulnerabilities, to support products that are no longer supported by manufacturers, custom software, and so on.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *