[German]The anonymous hacker with the alias SandboxEscaper has just revealed a new vulnerability in Windows 10. This uses the Edge browser to describe the DACL entries and assign SYSTEM privileges to itself.
I had already reported about the hacker with the alias SandboxEscaper in some blog posts. It reveals vulnerabilities to the public without informing Microsoft beforehand. As The Hacker News writes here, SandboxEscaper has publicly released a second zero-day exploit to circumvent a recently patched increase in the privilege vulnerability in the Microsoft Windows operating system.
The hacker claims he has found a new way to bypass the Microsoft security patch for the same vulnerability so that a specially developed malicious application can extend its privileges and take complete control of the patched Windows computer. On Github, the hacker has published a video and document file in which he provides more detailed information.
The new Exploit called ByeBear abuses the Microsoft Edge browser to write the Discretionary Access Control List (DACL) with SYSTEM privilege. But the whole thing doesn’t seem to be very reliable, because a race condition is used. The hacker writes: “It’s going to increase the thread priority to increase our odds of winning the race condition that this exploits. If your VM freezes, it means you either have 1 core or set your VM to have multiple processors instead of multiple cores… which will also cause it to lock up,” SandboxEscaper explains.
“This bug is most definitely not restricted to the edge. This will be triggered with other packages too. So you can definitely figure out a way to trigger this bug silently without having edge pop up. Or you could probably minimize edge as soon as it launches and closes it as soon as the bug completes. I think it will also trigger by just launching edge once, but sometimes you may have to wait for a little. I didn’t do extensive testing…found this bug and quickly wrote up a PoC, took me like 2 hours total, finding Local Privileg Execution (LPEs) is easy.”
Cookies helps to fund this blog: Cookie settings