Micropatches for Windows Local Session Manager Elevation of Privilege (CVE-2023-21771)

 

In December of 2022, Ben Barnea of Akamai posted an X thread about a bug they had found in Windows Local Service Manager (LSM) that can lead to local privilege escalation from regular user account to Local System. Ben discovered that code in LSM was missing a return value check after a call is made to RpcImpersonateClient to impersonate the caller: a failed impersonation attempt would therefore keep the code running as Local System.

After trying out several ideas to make the RpcImpersonateClient function fail, Ben succeeded with an interesting race condition trick, changing the caller's token after the call has been accepted by LSM, but before the impersonation is attempted.

Microsoft assigned this issue CVE-2023-21771, and issued a fix for it with January 2023 Windows Updates. 

Ben's X thread and proof of concept allowed us to reproduce the issue and create a micropatch for users of legacy Windows systems, which are no longer receiving security updates from Microsoft. 

Microsoft's Patch

Microsoft patched this issue by adding a check for the return value of RpcImpersonateClient call, and skipping the processing if the call fails.

Our Micropatch

Our patch is logically identical to Microsoft's:

;XX-1665
MODULE_PATH "..\AffectedModules\lsm.dll_10.0.19041.1266_Win10-2004_64-bit_u2021-12\lsm.dll"
PATCH_ID 1725
PATCH_FORMAT_VER 2
VULN_ID 7813
PLATFORM win64
       
patchlet_start
    PATCHLET_ID 1
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x58a63
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0
    PIT lsm.dll!0x58a7a
    
    code_start
        
        cmp rax, 0x0        ;check if RpcImpersonateClient returned 0 for success
        jne PIT_0x58a7a     ;if not, jump to the error block
       
    code_end
patchlet_end

 

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

1. Windows 10 v21H1 - fully updated
2. Windows 10 v2004 - fully updated

 

Older Windows 10 versions, Windows 7 and Server 2008 R2 were not affected by this issue. Newer Windows 10 versions received an official patch from Microsoft.

  

Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

Vulnerabilities like this get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank  Ben Barnea of Akamai for sharing their analysis, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.