Windows 10: 0-Day-Exploit in Microsoft Data Sharing

[German]Twitter user @SandboxEscaper has once again disclosed a zero-day exploit in Windows 10 (and the server editions) and published a proof of concept (PoC) on GitHub. It concerns the Microsoft Data Sharing library dssvc.dll, which allows an extension of rights..


Advertising


Twitter user @SandboxEscaper had already made a name for himself two months ago with a zero-day exploit in the task scheduler (task planning) – but then switched off his Twitter account (see Windows 0-day ALPC vulnerability in task scheduler).

Vulnerability in Microsoft Data Sharing library

Now @SandboxEscaper has disclosed a new vulnerability in Windows via Twitter and delivered also a proof of concept (PoC).

The tweet is a bit cryptic, SandboxEscaper writes something about a still unpatched ‘low quality bug’ that can be exploited. He has published a Proof of Concept (PoC) on GitHub, with which the bug can be exploited. But the GitHub RAR archive file is immediately blocked as harmful by Chrome on my system.  So I didn’t tested anything. 

The tweet above shows that @SandboxEscaper probably wants to withdraw from the whole thing – he’s done, he writes. And he probably indicates that he is broke (he had tried to sell the previous vulnerability to the highest bidder, possibly he was ‘burned’ in this respect). This may emerge from this tweet, where he suggests that he has to get drugs on the grey market because health care in Belgium is crap. According to the hints, he is likely to suffer from depression and therefore seems to be unemployed/not able to work. But that is speculation on my part.

A few details about the vulnerability

The Hacker News has addressed the issue in this article. The vulnerability (0-day exploit) is located in the Microsoft Data Sharing library dssvc.dll. The DLL is responsible for the Data Sharing Service. The Data Sharing Service is a local service that runs as a LocalSystem account with extensive privileges and enables data switching between applications.


Advertising

The Proof of Concept (PoC) published on a Github page probably exploits a privilege escalation vulnerability in the dssvc.dll data sharing library, which provides one that appears to be a privilege escalation vulnerability in Microsoft Data Sharing (dssvc.dll). The vulnerability could allow a low-privileged attacker to increase his privileges on a target system. However, the PoC exploit code (deletebug.exe) shared by @SandboxEscaper only allows a low-privilege user to delete critical system files that would otherwise only be accessible with administrator privileges. @SandboxEscaper writes according to The Hacker News:

“Not the same bug I posted a while back, this doesn’t write garbage to files but actually deletes them.. meaning you can delete application dll’s and hope they go look for them in user write-able locations. Or delete stuff used by system services c:\windows\temp and hijack them.”

But it allows to delete DLLs and other stuff. This opens another attac vector. If a DLL is deleted, an attacker can hope that the applications, services or whatever then search the missing DLL in places (via search path) that are writable with user rights. If an attacker then places his own DLLs in these directories, successful DLL hijacking is possible (I addressed the scenario several times in my blog). 

Windows 10 and server editions at risk

The Hacker News writes that the Microsoft Data Sharing service was introduced in Windows 10 and later versions of Windows Server editions. In other words: Users of Windows 7 SP1 and Windows 8.1 and their server counterparts are not affected by this vulnerability. 

The PoC exploit was successfully exploited by Will Dormann against a “fully patched Windows 10 system” (V1803) with the latest security updates from October 2018, Server 2016 and Server 2019, as he writes on Twitter.

At this point I’d like to point out: I don’t recommend any blog reader to run the PoC. Nobody knows what’s in the file – and the code can crash the operating system.

Micropatch from 0patch available

Hours after the PoC was published by @SandboxEscaper, Mitja Kolsek from 0patch announced a micropatch for this vulnerability via Twitter.

In another tweet of 0patch, it is confirmed, that the vulnerability is no longer exploitable.

I already had some articles about 0patch and its micro patches here within my blog. 0patch always intend to patch zero-day exploits before Microsoft releases a regular security update. 

Similar articles:
Windows 0-day ALPC vulnerability in task scheduler
Windows ALPC vulnerability (CVE-2018-8440) used in Exploit Kit


Advertising


This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *