Today, SandboxEscaper published a second bypass for Microsoft's CVE-2019-0841 patches, for which she previously published a first bypass two weeks ago.
According to a Microsoft security advisory, CVE-2019-0841 is a vulnerability that allows low privileged users to hijack files that are owned by NT AUTHORITY\SYSTEM by overwriting permissions on the targeted file.
Successful exploitation results in "Full Control" permissions for the low privileged user -- according to Nabeel Ahmed of Dimension Data Belgium, who Microsoft credited with discovering this bug in the first place.
Microsoft patched CVE-2019-0841 in the April 2019 Patch Tuesday, last month, describing it as a bug in the way Windows AppX Deployment Service (AppXSVC) improperly handles hard links.
This can be triggered as following: Delete all files and subfolders within "c:\\users\\%username%\\appdata\\local\\packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\" (atleast the ones we can delete as user) Try to launch edge. It will crash the first time. When we launch it a second time, it will write the DACL while impersonating "SYSTEM". The trick here is to launch edge by clicking it on the taskbar or desktop, using "start microsoft-edge:" seems to result in correct impersonation. You can still do this completely programmatically.. since edge will always be in the same position in the task bar.. *cough* sendinput *cough*. There is probably other ways too. Another note, this bug is most definitely not restricted to edge. This will be triggered with other packages too. So you can definitely figure out a way to trigger this bug silently without having edge pop up. Or you could probably minimize edge as soon as it launches and close it as soon as the bug completes. I think it will also trigger by just launching edge once, but sometimes you may have to wait a little. I didn't do extensive testing.. found this bug and quickly wrote up a poc, took me like 2 hours total, finding LPEs is easy.
To be clear, this is yet another LPE (local privilege escalation) vulnerability, meaning hackers can't exploit this bug to break into systems, but they can use it to gain access to a set of files they wouldn't normally have control over.
The zero-day that SandboxEscaper showcased today uses a novel technique, but there are certainly easier, faster, and more efficient ways to obtain a local privilege elevation on Windows -- for example, using one of SandboxEscaper's previous zero-days.
This is the fourth zero-day SandboxEscaper published this month. While Microsoft might have had time to patch the previous three, it will certainly not have enough time to fix this one, as the company's Patch Tuesday security updates are scheduled for next week, June 11.
The security researcher also promised to publish details about another zero-day in the coming days.