On 27th August, a self-proclaimed ‘retired vulnerability researcher’ who goes by the name ‘SandboxEscaper’ tweeted about a local privilege escalation exploit for Windows. The unknown Windows zero-day vulnerability found in the Windows OS could allow a local user or a malicious one to obtain system privileges on the targeted machine.
Will Dorman, an engineer of CERT/CC, confirmed the vulnerability and issued an official CERT/CC alert on the same day. He said that the vulnerability is a privilege escalation issue and resides in the Windows’ task scheduler program. It occurred due to errors in the handling of Advanced Local Procedure Call (ALPC) systems.
ALPC interface is a Windows-internal mechanism and works as an inter-process communication system. With ALPC, a client process running within the OS can ask a server process running within the same OS to provide some information or perform some action.
Proof-of-concept (PoC) code to exploit the ALPC interface on GitHub
SandboxEscaper released a proof-of-concept (PoC) code on GitHub on 7th May, in order to exploit the ALPC interface to gain SYSTEM access on a Windows system. This PoC can largely attract malware authors as it allows benign malware to gain an admin access on targeted systems.
At present, there are no known solutions for this vulnerability, which has been awarded a Common Vulnerability Scoring System (CVSS) score of 6.4 – 6.8. A CVSS score ranging between 4.0 – 6.9 is said to have medium severity as per the Qualitative Severity Rating Scale.
SandboxEscaper did not notify Microsoft about the vulnerability, which leaves all the Windows 64-bit users prone to attack. However, Microsoft has acknowledged the 0-day flaw and we can expect this flaw to be resolved in Microsoft’s next security updates scheduled for September 11, the company’s next ‘Patch Tuesday’.
The person behind the Windows zero-day hack: SandboxEscaper
This vulnerability was discovered by a self-educated blogger named ‘Sandbox escaper’. Her previous work can be found at https://sandboxescaper.blogspot.com/p/disclosures_8.html
What is intriguing is that the blogger calls herself a ‘retired vulnerability researcher’ who now blogs on travel. However, she has just started looking for a job in vulnerability research a week before her now famous Windows 0day hack. She says on her post on her current job hunt,
“I have mainly focused on logic bugs so far. So ideally I would prefer a place that is willing to mentor me, and doesn’t just expect me to start breaking all the hard targets and sandboxes by myself.
I would also prefer an onsite job in the UK (I’m currently a citizen of Belgium and also living there).”
She also goes forth to mention that being a transgender, her transition has been really difficult. Dealing with social pressure and anxiety isn’t easy, but this vulnerability researcher is causing heads to turn thanks to this discovery! She’s definitely got Microsoft’s attention now. Would be interesting to see if Microsoft decides to give her a chance at a job interview.
On a related note, this story also underscores the existing toxic culture in tech and highlights why it is important for tech companies to push inclusion and diversity as a key CxO performance metric. A person should be judged on merits and capabilities, not on their personal lifestyle choices or their traits/features, physical, emotional, sexual, political or otherwise.
Further updates to this story
After SandboxEscaper’s first tweet caused friction in the flaw disclosure process. She followed up with another tweet stating “Enjoy the 0day. It will get patched really fast. I guess I had fun today. Now I’m gone for a while, bye.”
Publicly releasing Windows vulnerabilities before Microsoft has issued a patch is quite rare. Microsoft, and many other companies offer bug bounties, or rewards, for information on software flaws. However, publicly disclosing the flaw vindicates someone from earning a bug bounty.
As per Microsoft’s rules, detailed proof-of-concept code similar to the one that SandboxEscaper posted, must not be disclosed until 30 days after Microsoft issues a patch.
Her GitHub video might have violated Microsoft’s terms and conditions for bug rewards.
Yesterday, SandboxEscaper tweeted, “I screwed up, not MSFT (they are actually a cool company).”
SandboxEscaper received an overwhelmingly positive response and compliments for her vulnerability discovery from various tech geeks, including from the cybersecurity training company Hacker House.
Read more about this 0day exploit’s technical details on Kevin Beaumont’s Medium post.
Note: Updated on 30th Aug, to include section on ‘Further updates to this story’.
Read Next
Sugar operating system: A new OS to enhance GPU acceleration security in web apps
