Windows 10 zero-day details published on GitHub

SandboxEscaper details new "ByeBear" zero-day impacting Windows 10 and Server 2019.


A security researcher and exploit broker known as SandboxEscaper has published today details about a new zero-day that affects the Windows 10 and Windows Server 2019 operating systems.

The details have been published on GitHub, in the same account and repository where the researcher previously published details about eight other zero-days --listed below:

- LPE in Advanced Local Procedure Call (ALPC)
- LPE in Microsoft Data Sharing (dssvc.dll)
- LPE in ReadFile
- LPE in the Windows Error Reporting (WER) system
- LPE exploit in the Windows Task Scheduler process
- Sandbox escape for Internet Explorer 11
- an LPE in the Windows Error Reporting service -- technically not a zero-day. It was revealed that Microsoft had already patched the issue before SandboxEscaper released her demo exploit code.
- Bypass of the CVE-2019-0841 protections
- LPE targeting the Windows Installer folder

New CVE-2019-0841 bypass

Today, SandboxEscaper published a second bypass for Microsoft's CVE-2019-0841 patches, for which she previously published a first bypass two weeks ago.

According to a Microsoft security advisory, CVE-2019-0841 is a vulnerability that allows low privileged users to hijack files that are owned by NT AUTHORITY\SYSTEM by overwriting permissions on the targeted file.

Successful exploitation results in "Full Control" permissions for the low privileged user -- according to Nabeel Ahmed of Dimension Data Belgium, who Microsoft credited with discovering this bug in the first place.

Microsoft patched CVE-2019-0841 in the April 2019 Patch Tuesday, last month, describing it as a bug in the way Windows AppX Deployment Service (AppXSVC) improperly handles hard links.

On GitHub today, SandboxEscaper said there's a second way to bypass the CVE-2019-0841 fixes and allow a low-privileged attacker to hijack files to which he previously didn't have full control over. The researcher explains:

This can be triggered as following:
Delete all files and subfolders within "c:\\users\\%username%\\appdata\\local\\packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\" (atleast the ones we can delete as user)
Try to launch edge. It will crash the first time.
When we launch it a second time, it will write the DACL while impersonating "SYSTEM".
The trick here is to launch edge by clicking it on the taskbar or desktop, using "start microsoft-edge:" seems to result in correct impersonation.
You can still do this completely programmatically.. since edge will always be in the same position in the task bar.. *cough* sendinput *cough*. There is probably other ways too.
Another note, this bug is most definitely not restricted to edge. This will be triggered with other packages too. So you can definitely figure out a way to trigger this bug silently without having edge pop up. Or you could probably minimize edge as soon as it launches and close it as soon as the bug completes. I think it will also trigger by just launching edge once, but sometimes you may have to wait a little. I didn't do extensive testing.. found this bug and quickly wrote up a poc, took me like 2 hours total, finding LPEs is easy.

To be clear, this is yet another LPE (local privilege escalation) vulnerability, meaning hackers can't exploit this bug to break into systems, but they can use it to gain access to a set of files they wouldn't normally have control over.

The zero-day that SandboxEscaper showcased today uses a novel technique, but there are certainly easier, faster, and more efficient ways to obtain a local privilege elevation on Windows -- for example, using one of SandboxEscaper's previous zero-days.

This is the fourth zero-day SandboxEscaper published this month. While Microsoft might have had time to patch the previous three, it will certainly not have enough time to fix this one, as the company's Patch Tuesday security updates are scheduled for next week, June 11.

The security researcher also promised to publish details about another zero-day in the coming days.

More vulnerability reports: