[German]Twitter user @SandboxEscaper has once again disclosed a zero-day exploit in Windows 10 (and the server editions) and published a proof of concept (PoC) on GitHub. It concerns the Microsoft Data Sharing library dssvc.dll, which allows an extension of rights..
Twitter user @SandboxEscaper had already made a name for himself two months ago with a zero-day exploit in the task scheduler (task planning) – but then switched off his Twitter account (see Windows 0-day ALPC vulnerability in task scheduler).
Vulnerability in Microsoft Data Sharing library
Now @SandboxEscaper has disclosed a new vulnerability in Windows via Twitter and delivered also a proof of concept (PoC).
https://t.co/1Of8EsOW8z Here’s a low quality bug that is a pain to exploit.. still unpatched. I’m done with all this anyway. Probably going to get into problems because of being broke now.. but whatever.
— SandboxEscaper (@SandboxEscaper) 23. Oktober 2018
The tweet is a bit cryptic, SandboxEscaper writes something about a still unpatched ‘low quality bug’ that can be exploited. He has published a Proof of Concept (PoC) on GitHub, with which the bug can be exploited. But the GitHub RAR archive file is immediately blocked as harmful by Chrome on my system. So I didn’t tested anything.
The tweet above shows that @SandboxEscaper probably wants to withdraw from the whole thing – he’s done, he writes. And he probably indicates that he is broke (he had tried to sell the previous vulnerability to the highest bidder, possibly he was ‘burned’ in this respect). This may emerge from this tweet, where he suggests that he has to get drugs on the grey market because health care in Belgium is crap. According to the hints, he is likely to suffer from depression and therefore seems to be unemployed/not able to work. But that is speculation on my part.
A few details about the vulnerability
The Hacker News has addressed the issue in this article. The vulnerability (0-day exploit) is located in the Microsoft Data Sharing library dssvc.dll. The DLL is responsible for the Data Sharing Service. The Data Sharing Service is a local service that runs as a LocalSystem account with extensive privileges and enables data switching between applications.
The Proof of Concept (PoC) published on a Github page probably exploits a privilege escalation vulnerability in the dssvc.dll data sharing library, which provides one that appears to be a privilege escalation vulnerability in Microsoft Data Sharing (dssvc.dll). The vulnerability could allow a low-privileged attacker to increase his privileges on a target system. However, the PoC exploit code (deletebug.exe) shared by @SandboxEscaper only allows a low-privilege user to delete critical system files that would otherwise only be accessible with administrator privileges. @SandboxEscaper writes according to The Hacker News:
“Not the same bug I posted a while back, this doesn’t write garbage to files but actually deletes them.. meaning you can delete application dll’s and hope they go look for them in user write-able locations. Or delete stuff used by system services c:\windows\temp and hijack them.”
But it allows to delete DLLs and other stuff. This opens another attac vector. If a DLL is deleted, an attacker can hope that the applications, services or whatever then search the missing DLL in places (via search path) that are writable with user rights. If an attacker then places his own DLLs in these directories, successful DLL hijacking is possible (I addressed the scenario several times in my blog).
Windows 10 and server editions at risk
The Hacker News writes that the Microsoft Data Sharing service was introduced in Windows 10 and later versions of Windows Server editions. In other words: Users of Windows 7 SP1 and Windows 8.1 and their server counterparts are not affected by this vulnerability.
The PoC exploit was successfully exploited by Will Dormann against a “fully patched Windows 10 system” (V1803) with the latest security updates from October 2018, Server 2016 and Server 2019, as he writes on Twitter.
Confirmed as well on Win10 1803, fully-patched as of October.
It’s perhaps worth noting that the service used by the PoC, Data Sharing Service (dssvc.dll), does not seem to be present on Windows 8.1 and earlier systems. https://t.co/W8cNNC4xYO
— Will Dormann (@wdormann) 23. Oktober 2018
At this point I’d like to point out: I don’t recommend any blog reader to run the PoC. Nobody knows what’s in the file – and the code can crash the operating system.
Micropatch from 0patch available
Hours after the PoC was published by @SandboxEscaper, Mitja Kolsek from 0patch announced a micropatch for this vulnerability via Twitter.
Hey, we have a micropatch candidate for your 0day, currently working on fully updated Windows 10 1803. Would you care to try it out? (Please DM)
— Mitja Kolsek (@mkolsek) 23. Oktober 2018
In another tweet of 0patch, it is confirmed, that the vulnerability is no longer exploitable.
7 hours after the 0day in Microsoft Data Sharing Service was dropped, we have a micropatch candidate that successfully blocks the exploit by adding impersonation to the DeleteFileW call. As you can see, the Delete operation now gets an “ACCESS DENIED” due to impersonation. pic.twitter.com/qoQgMqtTas
— 0patch (@0patch) 23. Oktober 2018
I already had some articles about 0patch and its micro patches here within my blog. 0patch always intend to patch zero-day exploits before Microsoft releases a regular security update.