Hackers Exploit Privilege Escalation Flaw on Windows Backup Service

Written by

Threat actors have been observed exploiting a privilege escalation vulnerability on the Windows Backup and Restore service.

"[...] CVE-2023-21752 is a vulnerability which allows a basic user to execute arbitrary code on a host to delete files from [a] specified storage path, from Windows Backup and Restore service," wrote security researchers at CloudSEK. "This action is only doable by privileged users."

Further, the exploit could be leveraged for privilege escalation on a host from basic user to system user, thus allowing account takeovers.

"The vulnerability is triggered using the Race Condition between temporary file creation and deletion, which takes place following the authentication process," the CloudSEK advisory reads.

"Windows hosts that follow irregular patch installations are subjected to risk, with threat actors potentially utilizing the exploit in the wild. The bare requirement is to have a local account on the targeted system."

The high-severity vulnerability has a CVSS base score of 7.1 and affects Windows 7, 10 and 11 OS versions. It was patched by Microsoft in its first Patch Tuesday of 2023. 0patch also released a different fix for the flaw on January 31.

"Our micro patch is logically identical to Microsoft's, but to minimize its complexity and code size, we opted for a simpler naming of the temporary file," wrote the security researchers. "This is to accommodate multiple backup processes using the same path at the same time, which is unlikely but not impossible."

Back to the CloudSEK advisory, the company said it spotted threat hackers discussing the vulnerability in a Russian-speaking cybercrime forum and on Telegram channels.

"A brand new vulnerability was found on January 10 in the Windows Backup service," reads a Telegram post seen and shared by CloudSEK. "The vulnerability makes it easy to elevate privileges from the user level to [local privilege escalation]."

The company's advisory comes days after Microsoft announced releasing patches for over 70 CVEs this month, including three zero-days.

What’s hot on Infosecurity Magazine?