On the same day Microsoft issued a record number of security patches, a researcher known as NightmareEclypse released exploit code for a Windows zero-day vulnerability. The exploit, named HiveLegacy, targets the Windows User Profile Service and allows users with limited system rights to gain administrative privileges by modifying an administrator account's registry hive.
According to researchers, the HiveLegacy exploit is a "powerful primitive" that could be chained with other exploits to achieve more complex malicious actions, potentially without user interaction. To function, the exploit requires the attacker to possess credentials for another user on the machine and know the username of a third account, which does not need to be an administrator account.
Will Dormann, a senior principal vulnerability analyst at Tharros Labs, explained that if an attacker can set up their code to run when an administrator logs in, they effectively gain administrator privileges. The researcher, who has previously published nine such exploits, stated that the proof-of-concept code was simplified to prevent malicious use.
Microsoft has not yet responded to inquiries about its awareness of the zero-day or its plans to address the vulnerability. In the interim, independent researcher Kevin Beaumont has provided a detection script for systems vulnerable to HiveLegacy. Other suggested defenses include restricting non-user account creation, monitoring the User Profile Service for unexpected hive loads, and tracking activity related to NTUSER.DAT/UsrClass.dat.