[German]In Windows 10, there is a new 0-day vulnerability that allows read access to files without having the permissions to do so.
Advertising
A hacker under the pseudonym SandboxEscaper has once again exposed this 0-day vulnerability without informing Microsoft. This isn't the first time, and it looks like he tried to sell this information before.
According to Bleeping Computer, the vulnerability affects ReadFile.exe, which allows read access to data at specific locations. The bug is in the "MsiAdvertiseProduct" feature that Microsoft uses to "generate an advertising script or advertise a product on the computer" and that "allows the installer to write in a script the registration and link information used to assign or publish a product". So again, a feature that basically nobody but Microsoft needs.
Calling this function leads to an arbitrary file copy by the installer service, which can be controlled by the attacker. SandboxEscaper explains that despite a check, protection can be bypassed for a period of time during which a race condition occurs.
As a result, it is possible to copy any files with SYSTEM privileges. The target can be read at any time. The following video shows the attack.
(Source: YouTube)
Advertising
The easiest way to confirm the error, according to SandboxEscapter, is to create two local accounts and read the desktop.ini of the other account. The validity of the PoC was confirmed today by Mitja Kolsek, CEO of Acros Security and founder of the 0Patch platform.
We have confirmed this POC to work and in fact provide read access to a chosen file that the initiating user didn't have read access to. https://t.co/GSP1YLo43U
— 0patch (@0patch) 20. Dezember 2018
The story could still have a sequel for SandboxEscaper, after it now published the third vulnerability. Since the release of the first Windows 0-day exploit, SandboxEscaper has lost access to the GitHub account. There SandboxEscaper published bug details and proof-of-concept code. In a blog post SandboxEscaper blames Microsoft directly for the loss of GitHub access.
SandboxEscaper also caught the attention of the FBI. There was a notification from Google that there was an FBI order to provide information about SandboxEscaper's Google account. Whether this has to do with the publication of the 0-day exploits or with tweets about Trump is unclear.
Similar articles:
Windows 0-day ALPC vulnerability in task scheduler