LegacyHive: 'Bone-shattering' zero-day from Microsoft's serial tormentor not the haymaker that was promised

Experts say it’s a useful post-compromise tool, for those with the brain cells required to put it together

Microsoft’s worst nightmare - a prolific zero-day vulnerability hunter who calls themselves Nightmare Eclipse - published yet another zero-day on Tuesday, a vulnerability allowing attackers to mount user hives, including partial exploit code.Suspected of being a disgruntled former Microsoft engineer, based on the sophistication of their prior vulnerabilities, NightmareEclipse came good on their promise to release another zero-day on July 14. Whether it lives up to the promised “bone-shattering” standard touted in June is up for debate, however.Called “LegacyHive,” the proof of concept (PoC) code for the zero-day local privilege escalation (LPE) vulnerability targets Windows’ user hives - the section of the Windows Registry that stores a user's specific desktop settings, application preferences, and environment configurations.

The code exploits a weakness in profsvc, the Windows User Profile Service, and the way in which it loads hives. If exploited correctly it could grant regular users privileged read-write access to target other users' hives.