July 2025 Windows Updates brought a patch for CVE-2025-49760, a local privilege escalation vulnerability allowing a local unprivileged attacker to manipulate Windows Storage Service and extract local machine's NTLM credentials. The vulnerability was found and reported to Microsoft by Ron Ben Yizhak with SafeBreach.
The Vulnerability
The vulnerability allows a low-privileged user on a computer to register Windows Storage Service's RPC endpoint on the RPC Endpoint Mapper before the service manages to register it, resulting in the service subsequently connecting to attacker's process, trusting its responses and allowing it to extract Local System's NTLM credentials. These can then be used against an Active Directory Certificate Service to perform the so-called "ESC8" attack (originally described in this SpecterOps article).
Security researcher Ron Ben Yizhak describes the vulnerability in detail in this SafeBreach article.
Ron also kindly released a POC that can be used to reproduce the issue.
Microsoft's Patch
Microsoft patched this issue in the Storage Service by modifying the code in StorageUsage.dll that connects to the RPC endpoint such that it will only connect to an endpoint that was created by LOCAL SYSTEM. This blocks the attack because the service will refuse to connect to the endpoint registered by the low-privileged attacker.
Our Patch
We decided to approach the issue on the other end - in the RPC Endpoint Mapper Service.
Our patch adds a check to the RPC Endpoint Mapper service core (RpcEpMap.dll) such that when registration of an endpoint with StorageUsage.dll's UUID is attempted, it checks if the registering user is LOCAL SYSTEM. This approach has two advantages to Microsoft's:
- the local low-privileged attacker cannot even cause a denial of service against the Storage Service (which a spoofed endpoint on the Microsoft-patched computer still can), and
- we find it likely (and Ron's article strongly suggests) that other services will turn out to be vulnerable to the same type of spoofing, and we prefer to patch all similar issues in the same place.
Let's see our patch in action:
Micropatch Availability
Micropatches were written for the following security-adopted Windows versions:
- Windows 11 v21H2 - fully updated
- Windows 10 v21H2 - fully updated
- Windows 10 v21H1 - fully updated
- Windows 10 v20H2 - fully updated
- Windows 10 v2004 - fully updated
- Windows 10 v1909 - fully updated
- Windows 10 v1809 - fully updated
- Windows 10 v1803 - fully updated
Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).
Vulnerabilities like these get discovered on a regular basis, and
attackers know about them all. If you're using Windows that aren't
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won't be exploited on your computers - and you won't
even have to know or care about these things.
If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.
We'd like to thank Ron Ben Yizhak with SafeBreach for sharing their finding and their POC, which allowed us to reproduce the issue and create patches for our users.
Did
you know 0patch will security-adopt Windows 10 and Office 2016 and 2019 when they go out of
support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here.
To learn more about 0patch, please visit our Help Center.
No comments:
Post a Comment