French cybersecurity researcher Clément Labro was working on a security tool when he discovered that Windows 7 and Windows Server 2008 R2 were vulnerable to a 0-day local privilege escalation bug.
The expert writes that the vulnerability lies in two incorrectly configured registry keys for RPC Endpoint Mapper and DNSCache, which are part of all Windows installations:
For example, an attacker who has already entered the system can change these keys in such a way as to activate the subkey that is used for Windows Performance Monitoring.
This mechanism is used to monitor the performance of applications, and also allows developers to load their own DLL files to track their performance using special tools.
Most researchers privately report serious security issues to Microsoft as soon as they were discovered, but in Labro’s case, it was too late. The fact is that the researcher found the problem after he released an update for his PrivescCheck tool, which is used to identify incorrect Windows security settings (they can be abused by malware to elevate privileges).
Thus, a new set of checks for privilege escalation methods has been added to the PrivescCheck update. Labro writes that he did not realize at the time that these checks reveal a new, unpatched way of elevating privileges.
Since support for Windows 7 and Windows Server 2008 R2 has long been discontinued, Microsoft has mostly stopped releasing security updates for these operating systems. Some updates are still available for Windows 7 users through the paid ESU (Extended Support Updates) program, but any fixes for the problem Labro found there either.
So far, only an unofficial micropatch from Acros Security, which develops 0pach, is available for users of older operating systems. Let me remind you that 0patch is a platform designed just for such situations, as fixing 0-day and other unpatched vulnerabilities, to support products that are no longer supported by manufacturers, custom software, and so on.