Windows User Profile Service 0day LPE

Friday, 22 October 2021

Windows User Profile Service 0day LPE


 

Not sure why Microsoft keep screwing those patches.

Here's details about the bug - https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx

PoC - https://github.com/klinix5/ProfSvcLPE/tree/main/DoubleJunctionEoP

This bug require another user password that's different from the current one, I'm not sure. But it might be possible to do it without knowing someone else password.
The PoC must be tested with standard user privileges with another standard user password. If it succeeds, it will spawn a SYSTEM shell.

At the time of writing this, this vulnerability affects every server and desktop edition including 11 and server 2022.