This vulnerability abuses a SetSecurityFile operation performed during Group Policy update that is done in the context of NT AUTHORITY\SYSTEM. This operation is performed on all files within a certain folder. An attacker could create a directory junction to another folder and thereby obtain full permissions on the contents of that folder.

This vulnerability is similar to CVE-2019-0841 and CVE-2020-1317 as the end result is the same, except this one is triggered by Group Policy updates.

Intro

Group Policy Caching has been in use since Windows 8.1. It keeps a copy of the group policies in a local cache for performance purposes. User GPO Settings are stored in %programdata%\Microsoft\GroupPolicy\Users, while Computer GPO Settings are stored in %windir%\System32\GroupPolicy\DataStore.

The Vulnerability

As mentioned before, when a group policy update occurs, the policies are cached locally. We are particularly interested in the User GPO Settings cache location, which is %programdata%\Microsoft\GroupPolicy\Users. This is interesting because %programdata% is writeable by default even by a low-privileged user.

We first look at what file operations look like when we launch the gpupdate command in Windows as a low-privileged user. We will use Process Monitor from Sysinternals to get visibility into the various file operations.

We will use the ProcMon filter and highlight settings shown in the following screenshots: