CVE-2021-24084 An unpatched information disclosure in Microsoft Windows

Thursday, 24 June 2021

CVE-2021-24084 An unpatched information disclosure in Microsoft Windows


The Timeline:

This bug was initially recognized in October 2020, and has been report to Zero Day Initiative Program.
The bug has been reported to Microsoft 2020/10/27 by Zero Day Initiative, the bug was acknowledged and a security advisory has been released as CVE-2021-24084.
In patch Tuesday I tried to see the changes introduced the original code and I was shocked, nothing has changed even if I installed the update that said it was fixing the bug.
I reached out with ZDI and they confirmed they were able to reproduce the indicated behavior without any minimal changes to the original PoC. After few days, I received an update from ZDI and said that Microsoft will release a final patch in April 2021 update.
April arrived and the bug is still unpatched, I reached out with ZDI. And after a long calm, ZDI reached me out with an update and said that they had a meeting with the Principal Program Manager of MSRC, and said that the issue is clearly acknowledged and is under active investigation and is not being left as a joke. And said that a final patch will be released in July (maybe in 2022 lmao)..

The Bug:

I discovered this bug while looking for some options to link my pc with my school account, so if they send or did something I'll know about it. Something attracted me, I saw this tiny text allowing you to export management log

I knew it's some COM shitty things, I didn't had time to implement the entire thing so I just clicked the button.

I clicked it and start process monitor and I saw some very interesting but not useful operations.
The service that host those operations is known as Device Management Enrollment Service or "DmEnrollmentSvc"
And one of the loaded modules was "MdmDiagnostics.dll" and apparently it had a vulnerability.
When requesting the log files to be exported to "C:\Users\Public\Documents\MDMDiagnostics\" a lot of file operations happens in C:\Windows\Temp, and the most interesting ones were "C:\Windows\Temp\DeviceHash_DESKTOP-1VX69Y8.csv"and "C:\Windows\Temp\TpmHliInfo_Output.txt" since they were created and removed without impersonation.
I noticed that they were also copied to C:\ProgramData\Microsoft\MdmDiagnostics and packed as a cab file to C:\Users\Public\Documents\MDMDiagnostics.
The function that handled the copy exist in "MdmDiagnostics.dll" as MdmLogCollector::CollectFileEntry and for some unknown reasons it literally enumerate the file as a directory, and copy it to be packed as a cab file without impersonating the caller.
And redirecting the file copy was literally so easy by just creating a mount point there

The fact that this can be patched by a child by just impersonating the caller is strange, how a multi billion company can't patch a simple bug in 90 days.

PoC can be a single powershell line to create a mount point in "C:\Windows\Temp\DeviceHash_DESKTOP-1VX69Y8.csv" and then starting the log export from settings, it can be easily emulated by calling the COM methods manually so do it yourself.
It can be found here.