[German]A reverse engineer bumped a vulnerability in Windows 10 in conjunction with the Hyper-V/Sandbox feature. Activating Hyper-V or the sandbox opens a 0-day vulnerability that can be used to attack the system.
What is the Windows Sandbox?
Probably every Windows user is familiar with it: It's software you're using for the first time. But you have concerns about running the downloaded executable file. This is exactly where the Windows Sandbox comes in: It provides an environment in which the software can be installed and executed. The application is isolated from the actual operating system and cannot make any changes there. The Windows Sandbox provides an isolated, temporary desktop environment where users can run untrusted software without fear of permanent impact on your PC.
Any software installed in Windows Sandbox stays only in the Sandbox and cannot affect your host. When you close Windows Sandbox, all software, files and statuses are permanently deleted. This feature is part of Windows 10 Pro, Education and Enterprise, but not part of Windows 10 Home. I have summarized further details in the blog post Windows 10 gets Sandbox for applications. In addition, the virtualization function Hyper-V must be supported by the CPU and the sandbox mode must be activated under Windows.
The vulnerability in the Windows Sandbox/Hyper-V
I recognized the Windows Sandbox mainly because of several bugs, so it was not usable (see link list at the end of this article). Now there is a 0-day vulnerability in the sandbox and Hyper-V. The reverse engineer Jonas Lykkegaard recently discovered this issue and published it in a tweet.
The vulnerability allows an unprivileged user to create an arbitrary file in the system32 Windows subfolder. Normally, files can only be placed in this Windows subfolder with elevated privileges. The vulnerability in the Windows Sandbox or with Hyper-V enabled also allows users with standard user rights to write to the system32 Windows subfolder.
To demonstrate the vulnerability in the affected driver, Lykkegaard created an empty file phoneinfo.dll in \system32. Since the creator of the file is also its owner, an attacker can use this to place malicious code in it and execute the file on demand. Security researcher Will Dorman confirms the vulnerability on Twitter and writes:
Any Windows system with Hyper-V enabled is vulnerable to a trivial privilege escalation by allowing an unprivileged user to create a file named whatever he wants and wherever he wants.
The good news is that this only works when Hyper-V is enabled on the Windows 10 / Windows Server system. This should limit the scope of an exploit, since the Hyper-V option is disabled by default. Bleeping Computer has collected more details here.
Windows 10 gets Sandbox for applications
Windows 10 V1903: Sandbox fails with error 0xc0370106
Windows 10: Update KB4483214 breaks Sandbox mode
Windows 10 V1903: Update KB4497936 breaks Sandbox
Cookies helps to fund this blog: Cookie settings