“This function has a vulnerability where it doesn’t correctly check the impersonation token of the caller to determine if the user is an administrator,” Forshaw wrote in the mailing list. “It reads the caller’s impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem’s SID.”
“It doesn’t check the impersonation level of the token so it’s possible to get an identify token on your thread from a local system process and bypass this check. For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways.”
- Put the AppCompatCache.exe and Testdll.dll on disk
- Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables).
- Execute AppCompatCache from the command prompt with the command line “AppCompatCache.exe c:\windows\system32\ComputerDefaults.exe testdll.dll”.
- If successful then the calculator should appear running as an administrator. If it doesn’t work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run.
“We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.”