We have just released a micropatch for CVE-2023-36047, a local privilege escalation vulnerability found by Filip Dragović in the way Windows handle files when a user changes their account picture. Filip discovered that on Windows 11, when you change your account picture, this picture is copied to a destination folder by a privileged process (the "User Manager" service). Since this folder is under user's control, they can set up symbolic links to "redirect" the copying to an arbitrary location. This allowed a local unprivileged attacker to copy a malicious DLL to a folder like C:\Windows\System32, where they would normally not be able to create files.
Adding a malicious DLL file to a system folder can lead to execution of attacker's code with the identity of Local System.
Filip published a POC for this issue, which allowed us to create a micropatch.
Our Micropatch
We
patched this issue in the same way Microsoft did, by impersonating the calling user instead of allowing to execute the copy operation as Local System. Note that Microsoft's fix is somewhat broken as changing one's profile picture now results in an error being displayed to the user. Our patch reproduces this behavior as well.
Let's see our patch in action.
With 0patch disabled, running Filip's POC and changing account picture to a new image (which is actually a DLL file) results in such DLL being created in C:\Windows.
With 0patch enabled, however, doing the same results in an "Account picture error" (which also happens on patched Windows 11) and no DLL created in C:\Windows.
Micropatch Availability
Micropatch was only written for Windows 11 v21H2 with all available Windows Updates installed. Even though Microsoft's advisory lists many Windows versions as affected, including some that we have security-adopted, we were unable to reproduce this on these versions. Namely, the entire process of changing the account picture works differently there, and even on Windows 11 v21H2 it works differently than on newer Windows 11 versions. The latter is also the reason why CVE-2024-21447, another vulnerability discovered by Filip in the same code, does not affect Windows 11 v21H2.
If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.
We would like to thank Filip Dragović for sharing their analysis and POC, which made it possible for us to create a
micropatch for this issue.