Researcher Details Windows Elevation of Privilege Vulnerability (CVE-2024-26238)

Security researcher Guillaume André with Synacktiv has detailed a high-severity vulnerability, CVE-2024-26238 (CVSS 7.8), in Microsoft’s Windows Update component RUXIM (Reusable UX Integration Manager). This flaw allows attackers to exploit a scheduled task called PLUGScheduler, potentially gaining full control of a Windows system.

The vulnerability stems from how PLUGScheduler, running as SYSTEM, manages file operations within a directory accessible to standard users. By manipulating this process, attackers can achieve arbitrary file write permissions as SYSTEM, effectively granting them complete control over the operating system.

When the PLUGScheduler task is triggered, it runs the C:\Program Files\RUXIM\PLUGScheduler.exee executable as SYSTEM. The process includes creating the C:\ProgramData\PLUG\Logs folder (if it doesn’t exist), deleting the RUXIMLog.050.etl file, and renaming other log files sequentially. The key vulnerability arises from the permissive Access Control Lists (ACLs) of the Logs folder, allowing standard users to perform certain operations, such as creating files and folders and writing attributes.

To exploit this vulnerability, attackers can follow these steps:

1. Set up a Scheduled Task: Create a scheduled task triggered at each logon that attempts to create the RUXIMLog.001.etl directory continuously until it succeeds.
2. Create the Directory: Once the directory is created, log off and log on repeatedly until the only entry in the Logs directory is the RUXIMLog.001.etl directory.
3. Remove the Directory: Delete the RUXIMLog.001.etl directory to prepare for the next steps.
4. Set up Junction Point and Symbolic Links: Configure the \RPC Control junction point and create symbolic links for RUXIMLog.049.etl and RUXIMLog.050.etl.
5. Trigger the Exploit: Log off and log on to execute the PLUGScheduler task, resulting in the attacker-controlled file being moved to the desired location.

Successful exploitation of CVE-2024-26238 can have severe consequences, including the ability to execute code with the highest system privileges, install malicious software, and tamper with sensitive data.

This vulnerability affects Windows 10 versions 2004 through 20H2. Users running these versions are strongly advised to install the security update KB 5001716 immediately to protect their systems. The update is available through Windows Update and should be installed automatically for most users. Those running unsupported Windows 10 versions or without the latest updates should manually check for and install KB5001716.

Guillaume André recommends configuring stricter access control lists (ACLs) for the C:\ProgramData\PLUG directory and its subdirectories. This will restrict write access to privileged users only, reducing the attack surface and mitigating the risk of exploitation.