Two months ago, a security researcher with the name SandboxEscaper disclosed a local privilege escalation exploit in Windows. The researcher is back with another Windows zero-day vulnerability, which was disclosed on Twitter yesterday. A Proof-of-Concept (PoC) for this vulnerability was also published on Github.
https://t.co/1Of8EsOW8z Here's a low quality bug that is a pain to exploit.. still unpatched. I'm done with all this anyway. Probably going to get into problems because of being broke now.. but whatever.
— SandboxEscaper (@SandboxEscaper) October 23, 2018
Many security experts analyzed the PoC and stated that this zero-day vulnerability only affects recent versions of the Windows OS, such as Windows 10 (all versions, including the latest October 2018 Update), Server 2016, and even the new Server 2019. An attacker can use it to elevate their privileges on systems they already have an access to.
Will Dormann, software vulnerability analyst, CERT/CC, says, “this is because the “Data Sharing Service (dssvc.dll), does not seem to be present on Windows 8.1 and earlier systems.”
According to ZDNet, experts who analyzed the PoC say, “The PoC, in particular, was coded to delete files for which a user would normally need admin privileges to do so. With the appropriate modifications, other actions can be taken.”
The second zero-day Windows exploit
This zero-day exploit is quite identical to the previous exploit released by SandboxEscaper in August, said Kevin Beaumont, an infosec geek at Vault-Tec. “It allows non-admins to delete any file by abusing a new Windows service not checking permissions again”, he added. However, Microsoft released a security patch for the previous vulnerability during the September 2018 Patch Tuesday updates.
SandboxEscaper’s PoC for the previous exploit “wrote garbage data to a Windows PC, the PoC for the second zero-day will delete crucial Windows files, crashing the operating system, and forcing users through a system restore process”. Hence, Mitja Kolsek, CEO of ACROS Security, advised users to avoid running this recent PoC.
Kolsek’s company released an update for their product (called 0Patch) that would block any exploitation attempts until Microsoft releases an official fix. Kolsek and his team are currently working on porting their ‘micro-patch’ to all affected Windows versions.
As per ZDNet, malware authors integrated SandboxEscaper’s first zero-day inside different malware distribution campaigns. Experts believe that malware authors can use the zero-day to delete OS files or DLLs and replace them with malicious versions. SandboxEscaper argues that this second zero-day can be just as useful for attackers as the first.
To know more about this news in detail, head over to ZDNet’s website.
Read Next
‘Peekaboo’ Zero-Day Vulnerability allows hackers to access CCTV cameras, says Tenable Research
Implementing Identity Security in Microsoft Azure [Tutorial]
Upgrade to Git 2.19.1 to avoid a Git submodule vulnerability that causes arbitrary code execution
