Proof-of-concept code for a new zero-day vulnerability in Windows has been released by a security researcher before Microsoft was able to release a fix.
The code exploits a vulnerability that allows deleting without permission any files on a machine, including system data, and it has the potential to lead to privilege escalation.
The vulnerability could be used to delete application DLLs, thus forcing the programs to look for the missing libraries in other places. If the search reaches a location that grants write permission to the local user, the attacker could take advantage by providing a malicious DLL.
The problem is with Microsoft Data Sharing Service, present in Windows 10, Server 2016 and 2019 operating systems, which provides data brokering between applications.
Will Dormann, a vulnerability analyst at CERT/CC, tested the exploit code successfully on a Windows 10 operating system running the latest security updates.
Behind the discovery is a researcher using the online alias SandboxEscaper, also responsible for publicly sharing in late August another security bug in Windows Task Scheduler component.
Malware developers were quick to incorporate in their software the exploit for the previous bug disclosed by SandboxEscaper. This is unlikely to happen with the issue in Data Sharing services.
Although deleting operating system files and the prospect of privilege escalation are serious threats, the bug is "low quality" and a "pain to exploit," as SandboxEscaper herself describes it.
Security researcher Kevin Beaumont labels the bug as a "cool find" that he thinks would be difficult to take advantage of "in a meaningful way."
It’s a cool find again. I think it would be fairly difficult to exploit in a meaningful way, you could possibly do it against some OEM drivers (eg graphics card update process) but I can’t imagine practical.— Kevin Beaumont (@GossiTheDog) October 23, 2018
In a text file describing the bug, SandboxEscaper says that an attacker could trigger DLL hijacking in third-party software "or delete temp files used by a system service in c:/windows/temp and hijack them and hopefully do some evil stuff."
In a conversation with BleepingComputer, Acros Security CEO Mitja Kolsek said that he could not find a "generic way to exploit this for arbitrary code execution." He noted that the exploit can easily brick the machine, though, and that there is a potential risk of DLL hijacking.
"If non-admin local attacker can write to any folder in the PATH environment variable (which would almost surely already be a security issue by itself), they could delete a DLL and plant a malicious copy there to get it executed the next time some privileged process needs it. However, I expect better attack vectors will be found," Kolsek said.
Kolsek noticed that the two bugs disclosed by SandboxEscaper share some similarities, but the differences make them two separate issues.
The bug seems similar to @SandboxEscaper's Scheduler Service local privilege escalation bug in the sense of leaving some important operation un-impersonated. (Wondering what else is affected by similar bugs.)— Mitja Kolsek (@mkolsek) October 23, 2018
SandboxEscaper highlights the difference between the two problems as well, saying in a tweet subsequent to disclosing the proof-of-concept (PoC) that it "it does not write garbage to files but actually deletes them."
Not the same bug I posted a while back, this doesn't write garbage to files but actually deletes them.. meaning you can delete application dll's and hope they go look for them in user write-able locations. Or delete stuff used by system services c:\windows\temp and hijack them.— SandboxEscaper (@SandboxEscaper) October 23, 2018
The exploit she created deletes "pci.sys," a critical system file, and renders the computer unbootable.
Microsoft is yet to address the issue, but a temporary solution is already available through the 0Patch platform from Kolsek's company. A micropatch candidate was ready seven hours after the zero-day vulnerability announcement, and it blocked the exploit successfully.
0Patch now delivers the stable version of the micropatch for fully updated Windows 10 1803:
We have just published a free micropatch for @SandboxEscaper's #deletebug arbitrary delete vulnerability for fully updated Windows 10 1803. Users with online 0patch Agents will have it auto-applied within 60 minutes. Everyone else, download from https://t.co/UMXoQqpLQh pic.twitter.com/tGPEepAu1U— 0patch (@0patch) October 24, 2018