Angry Techie Publishes Three Zero-Days Targeting Windows & IE11

A disgruntled tech expert has published proof of concept code for three Windows-related bugs, all without giving Microsoft the chance to fix them.

On Tuesday 21 May the programmer, who goes by the name SandboxEscaper, published the first exploit, which was a local privilege escalation (LPE) flaw. She released proof of concept code on the code sharing site GitHub (which Microsoft owns).

The code exploits a privilege escalation flaw in the Windows 10 task scheduler. The attacker copies a task file in a legacy format and runs it, manipulating the scheduler to execute the task with escalated privileges.

There are some caveats to that bug, explains Craig Young, principal security researcher at security company Tripwire. Firstly, as an LPE it doesn’t compromise a system on its own. An attacker would have to use it as a single step to get a better foothold as part of a larger attack. 

“The biggest limiting factor of this attack is that it requires the attacker to have knowledge of a valid username and password for the targeted system,” he adds. “This means that an attacker who has simply achieved code execution on a target (rather than compromising a password) would not be able to gain elevated permissions with this technique.”

Nevertheless, Microsoft should patch this quickly, he warns, as it would be possible for an insider to exploit this flaw and gain administrative privileges on their machine. Alternatively, an attacker who could phish Windows login credentials and get remote access could exploit the flaw.

“I have four more unpatched bugs where that one came from,” she said in a blog post announcing the code. “3 LPEs (all gaining code exec as system, not lame delete bugs or whatever), and one sandbox escape.”

She published one of these LPE bugs along with the sandbox escape bug on Wednesday. A sandbox is the secure space in which a program runs code, preventing it from affecting the rest of the system.

The LPE bug lies in Windows’ creation of a Discretionary Access Control List (DACL). The other exploit appears to escape a code execution sandbox in Internet Explorer 11. 

“Exactly 100% the same bug that I'm still reproducing when I escaped the adobe reader sandbox with a filepicker window (see CVE-2018-8314),” says the original version of SandboxEscaper’s IE11 sandbox escape bug writeup. The text also complains that she was refused a bounty a year ago when she tried to report the bug. She also believes that it might work in other programs’ sandboxes too, because it exploits file picker code shared by different programs. 

“There's two more bugs on github,” the researcher announced on her site Wednesday, lambasting the tech sector. “I don't plan to make a career in it anyway. I hate all the people involved in this industry.”

What’s interesting is the difficulties these unexpected exploit code releases raise for Microsoft. SandboxEscaper purposefully published them without following the responsible disclosure process, and didn’t give Microsoft a chance to fix them. Describing herself in her exploit code as “Bipolar Bear”, she has expressed deep enmity toward the US, the West, and “human society.”

The topic of Threats, Exploits and Vulnerabilities will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Threats, Exploits and Vulnerabilities here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.

What’s Hot on Infosecurity Magazine?