Researchers have identified a significant security concern, designated as CVE-2024-6769, which presents a combination of user access control (UAC) bypass and privilege escalation vulnerabilities within the Windows operating system. This flaw could potentially enable an authenticated attacker to gain complete system privileges, raising alarms among cybersecurity experts. Fortra, the organization behind this discovery, has rated the vulnerability with a medium severity score of 6.7 out of 10 on the Common Vulnerability Scoring System (CVSS) scale. Tyler Reguly, associate director of security R&D at Fortra, emphasized the severity of the issue, stating that the proof-of-concept exploit demonstrates the ability to shut down the system and manipulate files in critical locations, such as C:Windows, which could lead to unauthorized ownership of system files.
Understanding Integrity Levels in Windows
To grasp the implications of Fortra’s findings, one must revisit the introduction of Mandatory Integrity Control (MIC) in Windows Vista. This model assigns every user, process, and resource a specific integrity level, which dictates access permissions. Low integrity levels are granted universally, while medium integrity levels are reserved for authenticated users, high for administrators, and the most sensitive operations are confined to system-level access.
Alongside these integrity levels, UAC was implemented as a security mechanism that defaults most processes and applications to the medium level, requiring explicit permission for actions demanding higher privileges. Typically, an admin-level user can elevate their privileges by selecting “Run as Administrator” from a context menu.
However, Fortra’s researchers demonstrated that by leveraging two exploit techniques, an already authorized user could bypass this security boundary, achieving full administrative privileges without triggering UAC.
Using CVE-2024-6769 to Jump Across User Boundaries
To exploit CVE-2024-6769, an attacker must first establish a foothold within the targeted system, requiring the medium integrity-level privileges of a standard user whose account belongs to the administrative group. The initial phase of the attack involves remapping the system’s root drive, such as “C:”, to a location under the attacker’s control, which also affects the critical “system32” folder.
One service that relies on this folder is the CTF Loader, ctfmon.exe, which operates without administrator privileges but at a high integrity level. By placing a specially crafted, counterfeit DLL in the system32 folder, the attacker can manipulate ctfmon.exe to execute their code at an elevated privilege level.
To further escalate privileges, the attacker may poison the activation context cache, which Windows utilizes to load specific library versions. By crafting an entry that points to a malicious version of a legitimate system DLL, the attacker can exploit a process with administrator privileges, ultimately gaining full control over the system.
Microsoft: Not a Vulnerability
In response to the findings, Microsoft has acknowledged the research but does not classify it as a vulnerability. The company referred to its Security Servicing Criteria for Windows, which indicates that certain components and configurations are not designed to provide robust security boundaries. The relevant section states that administrative processes and users are part of the Trusted Computing Base (TCB) for Windows, implying that they are not strongly isolated from the kernel boundary.
Reguly explains that Microsoft perceives the admin-to-system boundary as non-existent, as administrators are trusted on a host. Therefore, the company does not consider CVE-2024-6769 a vulnerability, given that an admin user could perform similar system-level actions, albeit with UAC approval.
However, Reguly and Fortra contest this viewpoint, arguing that the introduction of UAC was marketed as a significant security enhancement. They assert that if Microsoft views this as an acceptable trust boundary, it undermines the credibility of UAC as a genuine security feature.
Windows Shops Should Still Beware UAC Bypass Risk
Regardless of philosophical differences, Reguly emphasizes the importance for businesses to recognize the risks associated with allowing lower-integrity administrators to escalate their privileges to achieve full system control. An exploit of CVE-2024-6769 could enable an attacker to manipulate or delete critical system files, upload malware, establish persistence, disable security features, and access sensitive data.
Fortra reassured that only administrators are affected by this vulnerability, meaning standard users remain largely unaffected. Nonetheless, it is crucial for administrators to verify the origins of binaries they run. As Reguly aptly puts it, vigilance is currently the best defense against this emerging threat.
