Adrian Johnson
TLDR:
- A new elevation of privilege vulnerability has been discovered in Xbox Gaming services, allowing attackers to gain SYSTEM privileges.
- Microsoft has patched the vulnerability after clarifying that it allows non-admin users to escalate their privileges.
A new elevation of privilege vulnerability has been discovered in the Xbox Gaming services that allow a threat actor to elevate their privileges to that of a SYSTEM. This particular vulnerability has been assigned CVE-2024-28916, and its severity has been given as 8.8 (High). The vulnerability exploits the GamingService directory to escalate privileges, allowing non-admin users to gain SYSTEM privileges. Microsoft patched the vulnerability by adding mitigations and checks before moving the folder, but the patch was flawed according to the researcher. The vulnerability could be exploited by tricking the service into redirecting to a controlled directory, potentially leading to arbitrary DLL loading as SYSTEM.
Xbox Gaming Services Flaw Let Attackers Gain SYSTEM Privileges
A new elevation of privilege vulnerability has been discovered in the Xbox Gaming services that allow a threat actor to elevate their privileges to that of a SYSTEM. This particular vulnerability has been assigned CVE-2024-28916, and its severity has been given as 8.8 (High). When this was reported to Microsoft, the researcher got a response stating “no security boundary is being broken here”. However, Microsoft has patched this vulnerability after it has been clarified that the vulnerability allows a non-admin user to gain SYSTEM privileges.
According to the reports shared with Cyber Security News, the GamingService is not a default service but if it is installed on any system, it can be utilized by a low privileged user to escalate their privileges to SYSTEM. When the Gaming Services service’s directory change occurs, it will attempt to open the C:\XboxGames\GameSave\Content\MicrosoftGame.Config file by using the attempting user’s privilege. If the file is present, the Gaming Service will move the whole C:\XboxGames\GameSave folder via MoveFileW API call. However, if this attempt is failed due to access denied error, the Gaming Service will elevate its permission to that of SYSTEM and perform the move operation. To add an interesting note, the C:\XboxGames folder can be modified by any authenticated users group. Suppose any user does not have the privilege to modify this folder. In that case, they can still exploit this by changing the directory location to any user controlled directory and perform this operation by the following actions:
- Deleting the C:\XboxGames folder
- Creating a new folder under the same name
- Drop arbitrary DLL files inside the C:\XboxGames\GameSave folder
- Add “deny delete” ACL to the folder that will result in operation being failed attempting to escalate the privilege
After reviewing this vulnerability, Microsoft patched it by adding a few mitigations and checks before moving the folder. The checks involve checking the destination folder in reparse point and lockdown implementation on both source and destination directory by creating a temporary file (.tmp_ + digit) with FILE_FLAG_DELETE_ON_CLOSE flag which is also prevented from deletion. The researcher stated that this patch was flawed as the check for junction was being done before locking the directory.
