The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability
in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of
the junctions it tries to link together.
Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a
UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\SYSTEM user.
Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as
CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for
CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it
It is important to note that the credentials supplied for the second user to log in as in this exploit must be
those of a normal non-admin user and these credentials must also corralate with a user who has already logged in
at least once before. Additionally the current user running the exploit must have UAC set to the highest level,
aka "Always Notify Me When", in order for the code to be executed as NT AUTHORITY\SYSTEM. Note however that
"Always Notify Me When" is the default UAC setting on common Windows installs, so this would only affect instances
where this setting has been changed either manually or as part of the installation process.