3 min read

LegacyHive zero-day lands, but not as devastating as billed

NightmareEclipse published a new Windows zero-day called LegacyHive, but researchers say the public code is more useful after compromise than for full takeover.

Image: The Register

NightmareEclipse, the prolific bug hunter The Register describes as one of Microsoft’s most persistent headaches, has published another Windows zero-day — this time a local privilege escalation flaw dubbed LegacyHive. Despite earlier claims that it would be “bone-shattering,” security researchers told The Register the public release is serious but not the knockout blow it was billed as.

LegacyHive targets Windows user hives, the Registry areas that store a user’s desktop settings, app preferences, and environment configuration. The proof-of-concept code abuses a weakness in profsvc, the Windows User Profile Service, to let a regular user mount another user’s hive into their own classes root. If used successfully, that could give an attacker privileged read-write access to another user’s hive.

Matei Badanoiu, lead security researcher at Pentest-Tools.com, said the gap between the published code and a full system compromise is significant.

“What caught my attention is the difference between what the public proof of concept actually demonstrates and what a full compromise would require.” “LegacyHive is a local privilege escalation in the Windows User Profile Service. It abuses arbitrary registry hive loading, so a standard user can mount another user’s hive, including an administrator’s, into their own classes root.” “For an attacker who already has a foothold, that is a genuinely useful primitive. Bundling it with credential access and persistence into 'full compromise' is more of an ambition than the released code.”

Matei Badanoiu, lead security researcher at Pentest-Tools.com

According to the report, the public PoC is intentionally stripped back to make mass exploitation harder. It requires additional user credentials and is limited to the usrclass.dat hive. NightmareEclipse claimed the original PoC did not need extra credentials and worked beyond usrclass.dat, but said making it do so would require “some brain cells.”

That marks a shift from earlier NightmareEclipse releases. The Register noted that previous drops such as BlueHammer and RedSun moved from PoC to widespread exploitation within days. LegacyHive arrives without a fully working PoC and without a CVE identifier.

Recommended reading

12M stolen streaming accounts hit dark web during World Cup

Disclosure timing and Microsoft response

Even so, defenders are being urged to move quickly. Dray Agha, senior manager of security operations at Huntress, told The Register that capable attackers will likely fill in the missing pieces.

“Threat intelligence teams are advised to act with some urgency here.” “Huntress observed NightmareEclipse’s prior LPE and defence evasion tools rapidly deployed threat actors and ransomware groups shortly after publication.” “Given this history, we’d expect that capable actors will reverse-engineer the missing components of the LegacyHive PoC to build fully weaponized versions in short order.”

Dray Agha, senior manager of security operations at Huntress

The timing was also calculated. NightmareEclipse published LegacyHive just after Microsoft’s Patch Tuesday, which this month included an unprecedented 622 fixes. Agha said that kind of timing maximizes the window before a patch can be shipped.

NightmareEclipse claims the flaw affects fully patched Windows systems as of July’s updates. The Register asked Microsoft whether it planned to issue a fix before August’s patch cycle.

In an update added on July 16, a Microsoft spokesperson said the company is “aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims.” The spokesperson added that Microsoft supports coordinated vulnerability disclosure and is working to protect customers “as soon as possible.”

The report also notes that Microsoft quietly issued a remedy last week for RoguePlanet, another earlier NightmareEclipse zero-day, without detailing what that mitigation involved.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via The Register

// Keep reading