A Privilege Escalation was recently discovered, which affects Windows’s File History service and can be used by threat actors to gain escalated privileges on a Windows System.
This issue was reported to Microsoft, and necessary patches have been published to fix this vulnerability.
File History for Windows is a backup and restore feature that automatically backs up the data stored in Libraries, Desktops, Favourites folder, etc. It can also backup the data to an external source like USB, Flash drive, or HDD.
CVE-2023-35359 – Windows Privilege Escalation
This vulnerability exists since the File History runs with system privileges that can be exploited to elevate the privileges from a normal user to a system user in order to perform malicious activities as a system user.
When the File History service is started, it loads the core file fhsvc.dll and the CManagerThread::QueueBackupForLoggedOnUser function, which is found to be vulnerable. This function simulates the logged-in user and loads the fhcfg.dll file, which is the root cause of this vulnerability.
File History can be manually started by a normal user, and additionally, the DosDevices can also be modified. Moreover, when fhcfg.dll is loaded, it also contains the resource for a manifest, and the csrss.exe (Client/Server Runtime Subsystem) also impersonates the identity of the normal user.
A normal user can modify the DosDevices to point to a fake directory like C:\Users\Public\test, followed by the csrss.exe. The fake directory must contain a link to another DLL, which will be used for escalating privileges.
SSD Disclosure has published a complete report, which provides detailed information about the proof-of-concept, exploitation method, and the core cause of this vulnerability.
Source: https://cybersecuritynews.com/windowss-file-history-service-flaw/
