A Privilege Escalation was recently discovered, which affects Windows’s File History service and can be used by threat actors to gain escalated privileges on a Windows System.
This issue was reported to Microsoft, and necessary patches have been published to fix this vulnerability.
File History for Windows is a backup and restore feature that automatically backs up the data stored in Libraries, Desktops, Favourites folder, etc. It can also backup the data to an external source like USB, Flash drive, or HDD.
CVE-2023-35359 – Windows Privilege Escalation
This vulnerability exists since the File History runs with system privileges that can be exploited to elevate the privileges from a normal user to a system user in order to perform malicious activities as a system user.
When the File History service is started, it loads the core file fhsvc.dll and the CManagerThread::QueueBackupForLoggedOnUser function, which is found to be vulnerable. This function simulates the logged-in user and loads the fhcfg.dll file, which is the root cause of this vulnerability.
File History can be manually started by a normal user, and additionally, the DosDevices can also be modified. Moreover, when fhcfg.dll is loaded, it also contains the resource for a manifest, and the csrss.exe (Client/Server Runtime Subsystem) also impersonates the identity of the normal user.
A normal user can modify the DosDevices to point to a fake directory like C:UsersPublictest, followed by the csrss.exe. The fake directory must contain a link to another DLL, which will be used for escalating privileges.
SSD Disclosure has published a complete report, which provides detailed information about the proof-of-concept, exploitation method, and the core cause of this vulnerability.
Affected Products
| Product | Platforms | Affected Versions |
| Windows Server 2019 | x64-based Systems | affected from 10.0.0 before 10.0.17763.4737 |
| Windows 10 Version 1809 | 32-bit Systems, x64-based Systems, ARM64-based Systems | affected from 10.0.0 before 10.0.17763.4737 |
| Windows Server 2019 (Server Core installation) | x64-based Systems | affected from 10.0.0 before 10.0.17763.4737 |
| Windows Server 2022 | x64-based Systems | affected from 10.0.0 before 10.0.20348.1906affected from 10.0.0 before 10.0.20348.1903 |
| Windows 11 version 21H2 | x64-based Systems, ARM64-based Systems | affected from 10.0.0 before 10.0.22000.2295 |
| Windows 10 Version 21H2 | 32-bit Systems, ARM64-based Systems | affected from 10.0.0 before 10.0.19044.3324 |
| Windows 11 version 22H2 | ARM64-based Systems, x64-based Systems | affected from 10.0.0 before 10.0.22621.2134 |
| Windows 10 Version 22H2 | x64-based Systems, ARM64-based Systems, 32-bit Systems | affected from 10.0.0 before 10.0.19045.3324 |
| Windows 10 Version 1507 | 32-bit Systems, x64-based Systems | affected from 10.0.0 before 10.0.10240.20107 |
| Windows 10 Version 1607 | 32-bit Systems, x64-based Systems | affected from 10.0.0 before 10.0.14393.6167 |
| Windows Server 2016 | x64-based Systems | affected from 10.0.0 before 10.0.14393.6167 |
| Windows Server 2016 (Server Core installation) | x64-based Systems | affected from 10.0.0 before 10.0.14393.6167 |
| Windows Server 2008 Service Pack 2 | 32-bit Systems | affected from 6.0.0 before 6.0.6003.22216 |
| Windows Server 2008 Service Pack 2 (Server Core installation) | 32-bit Systems, x64-based Systems | affected from 6.0.0 before 6.0.6003.22216 |
| Windows Server 2008 Service Pack 2 | x64-based Systems | affected from 6.0.0 before 6.0.6003.22216 |
| Windows Server 2008 R2 Service Pack 1 | x64-based Systems | affected from 6.1.0 before 6.1.7601.26664 |
| Windows Server 2008 R2 Service Pack 1 (Server Core installation) | x64-based Systems | affected from 6.0.0 before 6.1.7601.26664 |
| Windows Server 2012 | x64-based Systems | affected from 6.2.0 before 6.2.9200.24414 |
| Windows Server 2012 (Server Core installation) | x64-based Systems | affected from 6.2.0 before 6.2.9200.24414 |
| Windows Server 2012 R2 | x64-based Systems | affected from 6.3.0 before 6.3.9600.21503 |
| Windows Server 2012 R2 (Server Core installation) | x64-based Systems | affected from 6.3.0 before 6.3.9600.21503 |
Users of these products are recommended to upgrade to the latest version, as mentioned by Microsoft.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.