On April 12, 2022, Microsoft published CVE-2022-24527, a local privilege escalation vulnerability in Microsoft Connected Cache. The vulnerability allowed a local low-privileged user to execute arbitrary Powershell as SYSTEM due to improper file permission assignment (CWE-732).
Product description
Connected Cache is a feature used by Microsoft Endpoint Manager “Distribution Points” to support “Delivery Optimization.”
Credit
This issue was discovered and reported by security researcher Jake Baines as part of Rapid7's vulnerability disclosure program.
Exploitation
When Connected Cache is in use on a Distribution Point, it is installed, in part, into C:Doinc. Below, you can see that there are some Powershell scripts within that directory:
C:>dir /s /b C:Doinc
C:DoincProduct
C:DoincProductInstall
C:DoincProductInstallLogs
C:DoincProductInstallTasks
C:DoincProductInstallTasksCacheNodeKeepAlive.ps1
C:DoincProductInstallTasksMaintenance.ps1
C:DoincProductInstallTasksSetDrivesToHealthy.ps1
Low-privileged users only have read and execute permissions on the Powershell scripts.
C:DoincProductInstallTasks>icacls *.ps1
CacheNodeKeepAlive.ps1 NT AUTHORITYSYSTEM:(I)(F)
NT AUTHORITYNETWORK SERVICE:(I)(F)
BUILTINAdministrators:(I)(F)
BUILTINUsers:(I)(RX)
Maintenance.ps1 NT AUTHORITYSYSTEM:(I)(F)
NT AUTHORITYNETWORK SERVICE:(I)(F)
BUILTINAdministrators:(I)(F)
BUILTINUsers:(I)(RX)
SetDrivesToHealthy.ps1 NT AUTHORITYSYSTEM:(I)(F)
NT AUTHORITYNETWORK SERVICE:(I)(F)
BUILTINAdministrators:(I)(F)
BUILTINUsers:(I)(RX)
Successfully processed 3 files; Failed processing 0 files
The Powe ..
Support the originator by clicking the read the rest link below.
){kind=link}