Back to Home
Security

LegacyHive: 'Bone-shattering' zero-day from Microsoft's serial tormentor not the haymaker that was promised

Experts say it’s a useful post-compromise tool, for those with the brain cells required to put it together

t
tech4you AI
July 15, 20263 min read
Share

Security

LegacyHive: 'Bone-shattering' zero-day from Microsoft's serial tormentor not the haymaker that was promised

Experts say it’s a useful post-compromise tool, for those with the brain cells required to put it together

Microsoft’s worst nightmare - a prolific zero-day vulnerability hunter who calls themselves Nightmare Eclipse - published yet another zero-day on Tuesday, a vulnerability allowing attackers to mount user hives, including partial exploit code.

Suspected of being a disgruntled former Microsoft engineer, based on the sophistication of their prior vulnerabilities, NightmareEclipse came good on their promise to release another zero-day on July 14. Whether it lives up to the promised “bone-shattering” standard touted in June is up for debate, however.

Called “LegacyHive,” the proof of concept (PoC) code for the zero-day local privilege escalation (LPE) vulnerability targets Windows’ user hives - the section of the Windows Registry that stores a user's specific desktop settings, application preferences, and environment configurations.

The code exploits a weakness in profsvc, the Windows User Profile Service, and the way in which it loads hives. If exploited correctly it could grant regular users privileged read-write access to target other users' hives.

Matei Badanoiu, lead security researcher at Pentest-Tools.com, said that while the exploit could prove useful for attackers who had already gained a foothold in a target environment, it falls short of providing a fuller system compromise.

“What caught my attention is the difference between what the public proof of concept actually demonstrates and what a full compromise would require,” he told The Register. “LegacyHive is a local privilege escalation in the Windows User Profile Service. It abuses arbitrary registry hive loading, so a standard user can mount another user’s hive, including an administrator’s, into their own classes root. 

“For an attacker who already has a foothold, that is a genuinely useful primitive. Bundling it with credential access and persistence into ‘full compromise’ is more of an ambition than the released code.”

The LegacyHive publication differs from some of NightmareEclipse’s earlier drops in that the PoC code is stripped back in an effort to prevent widespread exploitation.

According to the bug hunter, there is more than one way of exploiting the profsvc flaw. 

The public PoC requires additional user credentials for it to work, and is limited to the usrclass.dat hive.

NightmareEclipse said the original PoC, which differs from the one they published, does not require additional user credentials to exploit the bug, and it works beyond the usrclass.dat hive, “but you would need some brain cells to make the PoC do it.”

This represents a divergence from NightmareEclipse’s previous approaches.

As Badanoiu pointed out to us, some of NightmareEclipse’s earlier drops, such as BlueHammer and RedSun, went from PoC to widespread exploitation within days.

LegacyHive, however, comes without a fully working PoC and a CVE identifier.

Regardless, security experts told The Register that cyber practitioners should respond promptly since capable attackers could probably build a reliable exploit, despite the gaps left in the PoC by NightmareEclipse.

“Threat intelligence teams are advised to act with some urgency here,” said Dray Agha, senior manager of security operations at Huntress. “Huntress observed NightmareEclipse's prior LPE and defence evasion tools rapidly deployed threat actors and ransomware groups shortly after publication. 

“Given this history, we’d expect that capable actors will reverse-engineer the missing components of the LegacyHive PoC to build fully weaponized versions in short order.”

The timing

NightmareEclipse may have changed their approach to releasing full working PoCs to the public, perhaps a reflection of Microsoft’s suggestion of preparing legal action against the bug hunter, but the nuisance timing of the vulnerability disclosures remains.

They dropped the details for LegacyHive shortly after Microsoft released its monthly Patch Tuesday updates, which contained an unprecedented 622 fixes.

Agha said timing the disclosure in this way maximizes the exposure window before a patch can be developed, causing more trouble for Microsoft.

The Register asked the Windows-maker about LegacyHive and whether it was planning to release a fix before August’s patches, but it did not immediately respond.

NightmareEclipse claims their latest zero-day works against Windows machines that are fully patched according to July’s fixes.

Microsoft previously issued a quiet remedy for one of NightmareEclipse’s earlier zero-days, RoguePlanet, last week, although the company did not go into any details about what the mitigation entailed. ®


Originally published on The Register

Related Articles

LegacyHive: 'Bone-shattering' zero-day from Microsoft's serial tormentor not the haymaker that was promised | tech4you