vendor:
Windows MultiPoint Server 2011
by:
it
N/A
CVSS
HIGH
Privilege Escalation
CWE
Product Name: Windows MultiPoint Server 2011
Affected Version From: Windows MultiPoint Server 2011 SP1
Affected Version To: Windows MultiPoint Server 2011 SP1
Patch Exists: NO
Related CWE:
CPE: o:microsoft:windows_multipoint_server:2011:sp1
Platforms Tested: Microsoft Windows MultiPoint Server 2011 - English Version
2021
Windows MultiPoint Server 2011 SP1 – RpcEptMapper and Dnschade Local Privilege Escalation
A local non-admin user on the computer can create a Performance subkey in the HKLMSYSTEMCurrentControlSetServicesDnscache or HKLMSYSTEMCurrentControlSetServicesRpcEptMapper registry keys, populate it with values, and trigger performance monitoring, which leads to a Local System WmiPrvSE.exe process loading the attacker's DLL and executing code from it.
Mitigation:
Apply the latest security updates and patches from Microsoft. Restrict user permissions to prevent unauthorized access to registry keys.