A recent security flaw in Windows, known as LegacyHive, has come to light, allowing attackers to leverage the User Profile Service for local privilege escalation. This vulnerability, which affects administrator accounts, enables unauthorized code execution at an admin level.
Understanding the LegacyHive Vulnerability
LegacyHive targets the User Profile Service, a Windows component that manages user profiles and their registry hives during login and logout. The vulnerability is described as a ‘Windows user profile service arbitrary hive load elevation of privileges vulnerability’ in a public proof-of-concept (PoC) by MSNightmare on GitHub.
This exploit allows users with low privileges to mount another user’s registry hive, specifically UsrClass.dat, into their HKEY_CLASSES_ROOT. By doing so, attackers can access another user’s application data and configuration, posing a significant security risk.
Exploiting the Flaw for Admin Access
Security expert Will Dormann demonstrated that by using LegacyHive.exe with the credentials of a standard user, specified as an admin, attackers can gain direct access to the admin’s Classes registry hive. This is achieved by starting regedit.exe as the second user.
Although the UsrClass.dat access is read-only, it allows for the modification of an admin’s registry hive, enabling attackers to hijack how the account launches applications or COM objects. This vulnerability creates a pathway for arbitrary code execution through manipulated file associations and COM object overwriting.
Implications and Mitigation Strategies
The LegacyHive exploit operates under the context of legitimate admin accounts, making it challenging for endpoint detection tools to perceive it as malicious. Despite Microsoft’s recent security updates, this vulnerability remains active across all supported Windows editions, lacking an official CVE or security bulletin.
Microsoft is currently examining the reported vulnerability. Until a patch is released, organizations are advised to restrict local logins for privileged accounts, segment admin workstations, enhance monitoring of registry hive changes, and closely observe COM and object registration modifications within admin profiles.
LegacyHive represents a significant threat as it exploits established quirks in Windows for privilege escalation. Organizations must remain vigilant, treating systems with LegacyHive indicators, as well as other known exploits like RoguePlanet, as potentially compromised.
Strengthening security operations centers (SOCs) and accelerating threat detection can aid in effectively managing such vulnerabilities. Integrating advanced tools and monitoring strategies is recommended to mitigate risks associated with LegacyHive and similar exploits.
