Researcher Released Two Zero-day Vulnerability for Windows

A security researcher named  SandboxEscaper who is popularly known for dropping out zerodays bugs on Microsoft windows, has came up with three new Zero-days back-to-back.      Firstly, he released a exploit code for the local privilege escalation that utilize the windows 10 Task Scheduler. This flaws allows attacker  to gain access to the files to which users didn't have.   After this SandboxEscaper published another two Zero-days vulnerabilities, one local privilege escalation vulnerability in Windows Error Reporting and a sandbox escape vulnerability for Internet Explorer 11.     Windows Error Reporting LPE bug  This local privilege escalation bug is also knwon as AngryPolarBearBug2, which exploits a bug in Windows Error Reporting system of Windows 10. This Zero-day works by  exploiting race condition between two function calls in order to create a hardlink with elevated permission to a file of the attackers choice. This could allow the attacker to modify or delete a file they do not normally have access to.     According to the POC published by SanboxEscaper, when the exploit succeeds it will make the C:\Windows\System32\drivers\pci.sys writable by a non-admin.   The only relaxation point in researcher notes for this bug is that its hard to exploit the vulnerability, as it may take up to 15 minutes for the exploit to trigger and even then it may not work.      "The race condition is incredibly hard to win. I havn't tested on another setup.. but you definitely need multiple processor cores and you may have to wait minutes for it to work (It can take a really long time.. ). Anyway... in an LPE scenario time is not that much of an issue."    Sandbox Escape Vulnerability for Internet Explorer 11.  This flaw allows attacker to inject a DLL into a specific Internet Explorer 11 process. When the injection works, it will open a filepicker and an HTML page that contains JavaScript. When right-clicking on the filepicker, you can see that the exploit disabled Internet Protected Mode. This means that the JavaScript would have run under this lower security context.     At the time of writing, there is no patch available for these vulnerabilities and users have to wait for Microsoft to release the patch. Microsoft may release the patches for these flaws on upcoming security updates or may be release under emergency updates.
A security researcher named  SandboxEscaper who is popularly known for dropping out zerodays bugs on Microsoft windows, has came up with Two new Zero-days back-to-back.

Firstly, he released a exploit code for the local privilege escalation that utilize the windows 10 Task Scheduler. This flaws allows attacker  to gain access to the files to which users didn't have.
After this SandboxEscaper published another two Zero-days vulnerabilities, one local privilege escalation vulnerability in Windows Error Reporting and a sandbox escape vulnerability for Internet Explorer 11.

Windows Error Reporting LPE bug
This local privilege escalation bug is also knwon as AngryPolarBearBug2, which exploits a bug in Windows Error Reporting system of Windows 10. This Zero-day works by  exploiting race condition between two function calls in order to create a hardlink with elevated permission to a file of the attackers choice. This could allow the attacker to modify or delete a file they do not normally have access to.

According to the POC published by SanboxEscaper, when the exploit succeeds it will make the C:\Windows\System32\drivers\pci.sys writable by a non-admin.
The only relaxation point in researcher notes for this bug is that its hard to exploit the vulnerability, as it may take up to 15 minutes for the exploit to trigger and even then it may not work.
"The race condition is incredibly hard to win. I havn't tested on another setup.. but you definitely need multiple processor cores and you may have to wait minutes for it to work (It can take a really long time.. ). Anyway... in an LPE scenario time is not that much of an issue." 
 Sandbox Escape Vulnerability for Internet Explorer 11.
This flaw allows attacker to inject a DLL into a specific Internet Explorer 11 process. When the injection works, it will open a filepicker and an HTML page that contains JavaScript. When right-clicking on the filepicker, you can see that the exploit disabled Internet Protected Mode. This means that the JavaScript would have run under this lower security context.

At the time of writing, there is no patch available for these vulnerabilities and users have to wait for Microsoft to release the patch. Microsoft may release the patches for these flaws on upcoming security updates or may be release under emergency updates.

Related Posts

Post a Comment

Subscribe Our Newsletter