Full Report
Following our previous research, LevelBlue SpiderLabs continued monitoring a series of Windows security component disclosures published under multiple online aliases, including Nightmare-Eclipse, Chaotic Eclipse, Dead Eclipse, and most recently MSNightmare.
Analysis Summary
# Vulnerability: RoguePlanet and GreatXML - Local Privilege Escalation & BitLocker Bypass
## CVE Details
- **CVE ID:** CVE-2024-38018 (RoguePlanet) / CVE-2024-38100 (GreatXML)
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-269 (Improper Privilege Management)
## Affected Systems
- **Products:** Microsoft Windows and Windows Server.
- **Versions:** Windows 10, Windows 11, and Windows Server (2016, 2019, 2022).
- **Configurations:** Systems utilizing Windows Desktop Bridge (Centennial), Windows Backup, or BitLocker security features.
## Vulnerability Description
This research identifies two distinct paths for privilege escalation and security boundary abuse:
1. **RoguePlanet (CVE-2024-38018):** A flaw in the Windows Desktop Bridge (Appx) system where the `AppxDeploymentServer` fails to properly validate folder junctions during package installation/reconstruction. An attacker can use a junction to redirect file operations, leading to the deletion or creation of files with SYSTEM privileges.
2. **GreatXML (CVE-2024-38100):** A vulnerability in the Windows Backup and BitLocker recovery process. By manipulating XML configuration files used during system recovery or backup, an attacker can bypass BitLocker security boundaries or escalate local privileges by hijacking the high-privileged processes that parse these files.
## Exploitation
- **Status:** PoC codes have been released by various aliases (Nightmare-Eclipse, MSNightmare). Active monitoring indicates interest from threat actors, though wide "in the wild" exploitation reports are limited but increasing.
- **Complexity:** Medium (Requires specific timing and file system manipulation).
- **Attack Vector:** Local (Attacker must have an existing foothold on the machine).
## Impact
- **Confidentiality:** High (Access to restricted system files and BitLocker keys).
- **Integrity:** High (Ability to modify system binaries or configurations).
- **Availability:** Medium (Potential for system instability during file deletion).
## Remediation
### Patches
- **Microsoft September 2024 Patch Tuesday:** Apply updates for CVE-2024-38018 and CVE-2024-38100 immediately to all Windows endpoints and servers.
### Workarounds
- **Strict ACLs:** Ensure users do not have write access to sensitive system directories where junctions might be abused.
- **Appx Restriction:** If not required, limit the ability of standard users to install Windows Store/Appx packages through Group Policy.
## Detection
- **Indicators of Compromise:**
- Creation of Windows Junctions (`.mnt` or symbolic links) pointing to `C:\Windows\System32` or `C:\Config.msi`.
- Execution of `diskpart.exe` or `wbengine.exe` from unusual parent processes.
- Presence of unexpected `.xml` files in Windows Backup directories.
- **Detection Methods:**
- Monitor Event ID 4663 (An attempt was made to access an object) for system file manipulation by non-admin users.
- Use EDR rules to flag suspicious `Appx` deployment activities and folder redirection attempts.
## References
- **Microsoft Advisory (CVE-2024-38018):** hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2024-38018
- **Microsoft Advisory (CVE-2024-38100):** hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2024-38100
- **LevelBlue SpiderLabs Research:** hxxps[://]www[.]levelblue[.]com/blogs/spiderlabs-blog/rogueplanet-and-greatxml-detecting-local-privilege-escalation-and-bitlocker-security-boundary-abuse