Xbox Privilege Escalation is a serious security vulnerability on Xbox gaming platforms that could allow an attacker to escalate user privileges and gain system-level access through gaming Service components that aren’t part of default installations, using directory change processes against Microsoft to gain system-level access through directory change manipulation attacks. We will explore its details, its impact, and any mitigations.
Microsoft’s Xbox gaming platform has quickly become one of the world’s favorite
entertainment hubs, yet like all software, it is vulnerable to security vulnerabilities. One such latest flaw found in Xbox by Filip Dragović Privilege Escalation, which allows an attacker to
elevate privileges and take control over a system by exploiting Gaming Service components, which are not default services but can be installed onto systems.
The Gaming Service is an essential component that supports various gaming-related functionalities on Xbox. It is responsible for managing game saves configuration files and other gaming-related files. When users attempt to change directories, when opening specific files within that directory the Gaming Service attempts to open them using MoveFileW API calls in impersonation of calling user.
The Xbox Privilege Escalation vulnerability arises from the Gaming Service’s behaviour during the directory change process. If an access denied error arises during move operation, if successful move operation reverts impersonation and performs move as a system instead.
Low-privileged users can exploit this behaviour by manipulating target directory naming conventions, dropping DLL files that might contain their desired code, and adding deny
delete ACL for themselves. So, when the Gaming Service attempts to move the directory, it will fail while impersonating the user but succeed when operating system’s impersonation rather than user impersonation and succeed when operating under system control instead.
To better understand how an exploit works, a proof-of-concept (PoC) was constructed. The PoC involves fooling the Gaming Service into believing its installation directory is safe but then redirecting it just before moving the folder – leading it into unintentionally loading an arbitrary DLL file as the system and thus giving an attacker elevated privileges for malicious code execution. Microsoft claims this exploit crosses no security boundaries.
A low-privileged user can install Xbox from the Microsoft Store and exploit it to escalate privileges and become an administrator.
Installing Xbox as low-privileged user redfoxsec.
After installation of Xbox, running “Project16.exe” exploit and changing the following Xbox Installation directory.
Exploit link GamingServiceEoP.
Follow the steps to Change Xbox Installation directory. Open Xbox, click on “Sign In” and then open Settings.
After that, click on “Install Options” and “CHANGE FOLDER” to “C:\new_install_dir”.
After changing the Installation directory, script get executed and spawned new cmd as “NT AUTHORITY\SYSTEM”.
The Proof-of-Concept demonstrates how a low privileged user can exploit the Spooler
Service to load an arbitrary DLL file as system-wide code after tricking Gaming Service and redirecting the folder to a different directory.
It’s Exploiting the Xbox Privilege Escalation vulnerability could have serious repercussions. An attacker with elevated privileges could gain control of a system and exploit it, potentially leading to unauthorized access, data theft, and further compromise of it. Microsoft hasn’t taken any measures to date to address this vulnerability.
As of now, Microsoft commented on this issue that, no security boundary is crossed, following Twitter post of Filip Dragović found that Microsoft think that this is a valid issue, as of now of no mitigation is provided by Microsoft nor any CVEs.
Redfox Security will recommend updating the latest version of Xbox as soon as possible when they will give new update and restrict actions of low-privileged user to not make any changes into HOST, and if possible, remove Xbox software from system.
The Xbox Privilege Escalation Vulnerability in the Gaming Service component demonstrates the significance of providing users with a safe gaming environment. Although this
vulnerability poses risks, Microsoft responded, which showed its commitment to addressing security concerns. By remaining vigilant and following recommended security practices,
users can still enjoy Xbox gaming experiences while minimizing any adverse impacts due to vulnerabilities.
Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. If you are looking to improve your organization’s security posture, contact us today to discuss your security testing needs. Our team of security professionals can help you identify vulnerabilities and weaknesses in your systems and provide recommendations to remediate them.
“Join us on our journey of growth and development by signing up for our comprehensive courses.“
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
info@redfoxsec.com
©️2024 Redfox Cyber Security Inc. All rights reserved.
