In June, the Microsoft security team released a bulletin addressing a critical issue with how Windows Storage works. This issue, which is also referred to as ‘Storage Elevation of Privilege’, occurs when a user with administrative privileges on the PC can store data on a network drive that is accessible by any user on the system. The issue can be leveraged by a remote attacker to run arbitrary code on the system. As this issue is present in Windows Storage, it can also be exploited on Linux and Mac OS X systems. This issue was made public when researchers at Cisco Talos disclosed a number of attacks against Windows Storage. These attacks include Denial-of-Service (DoS) and Remote Code Execution (RCE) attacks. Cisco Talos researchers have also reported that the issue is being actively exploited in the wild. In one of the attacks, researchers at Talos have reported that attackers have compromised the SMB signing key of a number of Windows hosts. Now, to exploit this vulnerability, we need a vulnerable Windows host with Windows Storage enabled. After this, we could simply take the following steps to compromise the system. 1. Attackers could create a malicious network share with a simple name like ‘test’. 2. Attackers could then use a simple SMB command to map the network share to the local system. 3. Attackers could send a malicious file to the mapped network share. 4. The malicious file will be executed on the system. Now,

Storage Elevation of Privilege (CVE-2022)

Storage Elevation of Privilege (CVE-2022) is an issue that affects Windows machines. The issue occurs when a user with administrative privileges on the PC can store data on a network drive that is accessible by anyone. This issue can be leveraged by a remote attacker to run arbitrary code on the system.
This issue was made public in June when researchers at Cisco Talos disclosed a number of attacks against Windows Storage. These attacks include Denial-of-Service (DoS) and Remote Code Execution (RCE) attacks.
Cisco Talos researchers have also reported that the issue is being actively exploited in the wild. In one of the attacks, researchers at Talos have reported that attackers have compromised the SMB signing key of a number of Windows hosts. Now, to exploit this vulnerability, we need a vulnerable Windows host with Windows Storage enabled.
After this, we could simply take the following steps to compromise the system. 1. Attackers could create a malicious network share with a simple name like ‘test’ 2. Attackers could then use a simple SMB command to map the network share to the local system 3. Attackers could send a malicious file to the mapped network share 4. The malicious file will be executed on the system

How to check if Windows Storage is enabled?

To check if Windows Storage is enabled, open the Windows PowerShell and run the following command.
Get-PSDrive | Select Name,Path,RootFolder
This command will return all of the available drives on your system. If you see a drive with the 'Windows' prefix in its name, then this indicates that Windows Storage has been enabled. If Microsoft releases an update for this issue, it would indicate that there is an update for this issue.

Timeline

Published on: 10/11/2022 19:15:00 UTC
Last modified on: 10/12/2022 16:52:00 UTC

References