Windows 10: 0-day bug enabled file overwrite

[German]At the end of the year 2018 a new 0-day bug in Windows became known, which allows attackers to overwrite files. Here is some information about this new bug.


The 0-day bug in Windows was discovered in December 2018 by a hacker using the alias SandboxEscaper. The hacker had already released three more 0-day bugs in Windows in the past. 

Bug in Error Reporting System

The 0-day bug is located in the Windows Error Reporting system and allows you to overwrite files in Windows 10 for which a user normally has no permissions.

0-day bug in Windows
(Click to zoom)

This takes advantage of the fact that the Windows Error Reporting tool can be run in task scheduling (see screenshot above). A Proof of Concept (PoC) was published by SandboxEscaper on GitHub. This PoC code overwrites the 'pci.sys' file with information about software and hardware issues collected through Windows Error Reporting (WER).

'Pci.sys' is a system component that is required for correct booting of the operating system as it lists physical device objects.

According to SandboxEscaper, other files could also be overwritten using this approach. The hacker speculates: "You can also use the PoC to potentially disable third-party AV software".


The hack isn't reliable

The 0-day bug is currently rather uncritical, an exploitation in the wild seems unlikely. The hacker writes that the effect used by the PoC is not guaranteed and that the exploit has some limitations. It could not be observed on some systems with certain CPUs. For example, the bug cannot be reproduced on a machine with a CPU core. It may also take some time for an effect to occur at all. The PoC depends on a race condition where one process gets access to resources faster than another.

This is confirmed by Will Dormann, a vulnerability analyst at CERT/CC. Dormann was able to reproduce the error in Windows 10 Home, Build 17134. However, Dormann writes that the overwriting is not consistent.

Microsoft informed at Christmas

The hacker sent an email to Microsoft before Christmas and announced on December 25, 2018 that he would release the PoC for a new bug in Windows on New Year's Day (see picture below).

Tweet zu 0-Day-Bug

But two days later he changed his mind and released the details by the end of December 2018. In general SandBoxEscaper seems to be a pretty frustrated personality (see also this reddit thread), as each of his released PoCs was somehow quite bumpy and unexpectedly released. Furthermore, the hacker always deactivates the accounts (or gets them deactivated). The PoCs are also usually not knitted in such a way that they can be easily exploited.

At the end of August, for example, he released an exploit that increases the permissions for SYSTEM under Windows via a vulnerability in the Task Scheduler component. This has been patched by Microsoft in the meantime. At the end of October 2018 he reported another Privilege Escalation Bug in Windows, which made it possible to delete a file without administrative permissions. On December 19, he released a PoC code that allowed reading protected files. Bleeping Computer discusses more details here.

Similar articles
New Windows 0-day-vulnerability (12/20/2018)
Windows 0-day ALPC vulnerability in task scheduler

Windows 10: 0-Day-Exploit in Microsoft Data Sharing
Windows ALPC vulnerability (CVE-2018-8440) used in Exploit Kit

Cookies helps to fund this blog: Cookie settings


This entry was posted in Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *