Researcher publishes Windows zero-days for the third day in a row

SandboxEscaper publishes two more Windows zero-days, bringing her total up to eight zero-days in ten months.

Windows

A security researcher and exploit seller going by the name of SandboxEscaper has published today new Windows zero-days for the third day in a row.

On her GitHub account, the researcher published proof-of-concept code for two zero-days, but also short explainers on how to use the two exploits.

These two new exploits mark the seventh and eight zero-days the researcher has published in the last ten months.

To summarize, over the course of the last three days, she also published:

- LPE exploit in the Windows Task Scheduler process [May 21]
- Sandbox escape for Internet Explorer 11 [May 22]
- an LPE in the Windows Error Reporting service [May 22] -- technically not a zero-day. It was revealed that Microsoft had already patched the issue before SandboxEscaper released her demo exploit code.

Before this week's releases, SandboxEscaper had also published four other Windows zero-days last year, which included:

- LPE in Advanced Local Procedure Call (ALPC)
- LPE in Microsoft Data Sharing (dssvc.dll)
- LPE in ReadFile
- LPE in the Windows Error Reporting (WER) system

CVE-2019-0841 bypass

The first zero-day that SandboxEscaper published today is a bypass for Microsoft's current patch for CVE-2019-0841.

CVE-2019-0841 is a vulnerability that allows low privileged users to hijack files that are owned by NT AUTHORITY\SYSTEM by overwriting permissions on the targeted file. Successful exploitation results in "Full Control" permissions for the low privileged user -- according to Nabeel Ahmed of Dimension Data Belgium, who Microsoft credited with discovering this bug in the first place.

Microsoft patched CVE-2019-0841 in the April 2019 Patch Tuesday, last month, describing it as a bug in the way Windows AppX Deployment Service (AppXSVC) improperly handles hard links.

SandboxEscaper's exploit code shows that there is still one way to exploit CVE-2019-0841, despite Microsoft's patch.

Just to be clear, this is yet another LPE (local privilege escalation) vulnerability, meaning hackers can't exploit this bug to break into systems, but they can use it to gain full access to an entire PC, even if the point of intrusion was a low-privileged account.

Zero-day targeting Windows Installer folder

The second zero-day that SandboxEscaper has published today targets the Windows Installer folder (C:\Windows\Installer).

In a GitHub file, the researcher explains that there's a short interval of time (race condition) when repairing a Windows app installation when the process can be hijacked to write files to unauthorized areas of a Windows OS.

This flaw, which abuses the msiexec /fa (Repair Installation) operation, can be used to plant malware and take over computers on which hackers had initially gained access only to a low-privileged account.

Compared to the zero-days SandboxEscaper published yesterday, deemed useless by most security researchers ZDNet spoke with, these two new vulnerabilities appear to be more useful in actual malware campaigns, although, SandboEscaper did note that the second one might be a little bit unreliable because of the short time window her zero-day has to exploit vulnerable computers.

ZDNet has notified Microsoft of these two new exploits and we'll update when we get a response.

More vulnerability reports: