Windows Group Policy Allows Attacker to Become Admin

A bug going back to Windows Server 2008 (AKA 12 years plus ago) has finally been patched by Microsoft.

The Group Policy feature allows Windows Admins to push controls to all systems on a domain if desired, but there was a bug in how that was implemented.

The Group Policy Client service (gpsvc) checks periodically for policy updates and applies them if found. Since gpsvc runs as SYSTEM, if it is compromised, it can do anything.

The update process writes the update to a local file to be processed by the service.

The bug is that this file/folder can be written to by any non-privileged user. That means that any user can create a malicious update, which if done correctly, can cause the update process to run arbitrary code and thereby totally compromise the system. The only saving grace is that the hacker would have to have some system access.

The vulnerability has a CVE number from 2020, number CVE 2020-137, which means that while the bug has been around for 12+ years, it was only officially discovered early this year.

That, of course, does not mean that hackers have not known about it for more than a decade.

A patch is available now. Credit: Bleeping Computer