Jump to content
The AchieVer

Two more Microsoft zero-days uploaded on GitHub

Recommended Posts

The AchieVer

Two more Microsoft zero-days uploaded on GitHub

SandboxEscaper has now published seven zero-days in Microsoft products; two more to come.




A security researcher going online by the pseudonym of SandboxEscaper has published today demo exploit code for two more Microsoft zero-days after releasing a similar fully-working exploit the day before.


These two mark the sixth and seventh zero-days impacting Microsoft products this security researcher has published in the past ten months, with the first four being released last year, and three over the past two days.


The first of the two new zero-days is a vulnerability in the Windows Error Reporting service that SandboxEscaper said it can be exploited via a carefully placed DACL (discretionary access control list) operation.


The researcher named this bug "AngryPolarBearBug2" after a similar zero-day she discovered in the same Windows Error Reporting service last December, and named "AngryPolarBearBug."


The good news is that this zero-day is not as easy to exploit as the last. "It can take upwards of 15 minutes for the bug to trigger," SandboxEscaper said.


Once exploited, the zero-day should grant an attacker access to edit files they normally couldn't. In other words, it's a local privilege escalation issue, but as SandboxEscaper puts it: "not that much of an issue."



The second of the Microsoft zero-days that SandboxEscaper published today is one impacting Internet Explorer 11.


Besides the exploit's source code and a short demo video, only a three-line summary is available for this zero-day.


Per SandboxEscaper, this vulnerability should allow attackers to inject malicious code in Internet Explorer. According to a security researcher who reviewed the exploit for ZDNet, this zero-day is not remotely exploitable, but can only be used to neuter security protections in IE for subsequent attacks, and should be considered a low-impact issue.






Today's releases come after yesterday, the researcher published proof-of-concept code for another Windows zero-day, a local privilege escalation in the Windows Task Scheduler process.

SandboxEscaper's list of 2018 zero-days include:


LPE in Advanced Local Procedure Call (ALPC)
LPE in Microsoft Data Sharing (dssvc.dll)
LPE in ReadFile
LPE in the Windows Error Reporting (WER) system


On her personal blog, the researcher promised to release two more zero-days impacting Microsoft products in the coming days.








Share this post

Link to post
Share on other sites

Serial publisher of Windows 0-days drops exploits for 2 more unfixed flaws

SandboxEscaper has published 7 such exploits to date, 3 in the past 24 hours.

Screenshot of Windows Explorer.

Update: One of the two exploits published on Wednesday has now been confirmed to exploit a Windows vulnerability that Microsoft patched in this month's Update Tuesday release cycle. The flaw involving the Windows Error Reporting service was previously described as CVE-2019-0863, Gal De Leon, the researcher Microsoft credited with discovering the vulnerability, said on Twitter. Researchers with "micropatching" service 0patch have confirmed that the other exploit published on Wednesday, an IE 11 sandbox bypass, does indeed work on a fully patched Windows 10 system.


The headline of this post has been changed to reflect this new information. What follows is the story as it appeared earlier, with the exception of the last paragraph, which has also been changed to reflect the new information.


A serial publisher of Microsoft zeroday vulnerabilities has dropped exploit code for three more unpatched flaws, marking the seventh time the unknown person has done so in the past year.


Technical details of the vulnerabilities, along with working proof-of-concept exploits, are the work of someone using the moniker SandBoxEscaper. A local privilege-escalation vulnerability in the Windows Task Scheduler that was disclosed on Tuesday allows an authenticated attacker to gain SYSTEM privileges on an affected system. On Thursday, the person released a privilege escalation code that exploits a bug in the Windows Error Reporting service. Attackers can use it to modify files that would normally be off limits. A third exploit, which was also released Wednesday, works against Internet Explorer 11 and allows attackers to execute a JavaScript that runs with higher system access than is normally permitted by the browser sandbox.

Decent deal

Like the other exploits SandboxEscaper has published over the past year—including this one Ars covered last August and this one from last October—the three recent ones don’t allow attackers to remotely execute malicious code. Still, as security defenses in recent versions of Windows and other operating systems have improved, the value of these types of exploits has grown, since they are often the only way to bypass security sandboxes and similar protections. Despite some limitations in the exploit that were transparently noted by SandBoxEscaper, the disclosures are significant if they work as purported against fully patched versions of Windows 10.


“Any new privilege escalation on native Windows 10 is a pretty decent deal as most vulnerabilities are on applications that you put on top of the OS rather than in the OS itself,” Charles Dardaman, a security researcher in Dallas, told Ars. “If an attacker had an RCE or some other way, like phishing, that gave low-level access to a machine, they could then use one of these attacks to escalate to Admin."


In March, Google reported that a then-unpatched privilege-escalation vulnerability in older versions of Windows was being used alongside an unrelated exploit in the Chrome browser. On its own, neither exploit was able to do much damage, thanks to the defense-in-depth mitigations built into Windows and Chrome. Together, however, the exploits allowed hackers to remotely execute malware of their choice. Dardaman said that the two privilege-escalation vulnerabilities SandboxEscaper published over the past 24 hours are likely to have similar capabilities when combined with the right additional exploit.


In Tuesday’s disclosure, SandboxEscaper wrote that the Task Scheduler vulnerability works by exploiting a flaw in the way the Task Scheduler processes changes to discretionary access control list permissions for an individual file. An advisory published Wednesday by US Cert confirmed that the exploit worked against both 32-bit and 64-bit versions of Windows 10.


Below is video of the exploit in action:



Microsoft representatives have yet to comment on the disclosures this week. It wouldn't be surprising for patches for the two confirmed zerodays will be available as soon as next month's Update Tuesday.


Source: Serial publisher of Windows 0-days drops exploits for 2 more unfixed flaws (Ars Technica)

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...