A cybersecurity expert, known online with the SandboxEscaper alias, released proof-of-concept for new zero-day vulnerability she found to affect Microsoft's Windows operating system.
SandboxEscaper did not leak proof-of-concept for severe vulnerabilities for the first time. Time ago she had released online exploits for two other zero-day Windows flaws. In this way, however, this is putting all Windows users at risk of attacks as hackers will have everything they need to exploit those vulnerabilities, while Microsoft releases patches to fix the problem.
Now, the new Windows zero-day vulnerability could allow a low-privileged user or a malicious program to read the content of any file on the attacked Windows computer - that only users with administrator-level privileges should have access to.
SandboxEscaper has informed Microsoft of the vulnerability before leaking online the exploit.
The Windows feature "MsiAdvertiseProduct"
The vulnerability was found in "MsiAdvertiseProduct" function of Windows. It is responsible for generating "an advertise script or advertises a product to the computer and enables the installer to write to a script the registry and shortcut information used to assign or publish a product," SandboxEscaper said to Reddit.
According to her, affected by this vulnerability function can be abused due to improper validation and thus to make the installer service into making a copy of any file as SYSTEM privileges and read its content. In practice, this is an arbitrary file read vulnerability.
"Even without an enumeration vector, this is still bad news, because a lot of document software, like office, will actually keep files in static locations that contain the full path and file names of recently opened documents..," the expert explained.
"Thus by reading files like this, you can get filenames of documents created by other users.. the filesystem is a spiderweb and references to user-created files can be found everywhere.. so not having an enumeration bug is not that big of a deal."
SandboxEscaper uploaded a video vulnerability demonstration on the internet and published proof-of-concept for this third zero-day vulnerability on Github, but her GitHub account has since been blocked.
As mentioned earlier, for the third time in the last few months SandboxEscaper has leaked Windows zero-day vulnerability.
In October, she released online PoC exploit for a privilege escalation in Microsoft Data Sharing. The exploitation of this problem allowed a low-privileged user to delete critical system files from an attacked Windows system.
In August, the hacker made public the details of a local privilege escalation flaw in Microsoft Windows Task Scheduler. The problem was present because of errors in the handling of the Advanced Local Procedure Call (ALPC) service.
Then Microsoft released patches to fix this vulnerability in the September 2018 Security Patch Tuesday Updates, but before that, cybercriminals had already managed to exploit this discovery of SandboxEscaper to commit real hacker attacks. As currently happens something like this, we can just hope that one of the largest hacker groups will not be going to exploit this new Windows zero-day vulnerability for massive attacks, while Microsoft releases patches to address the issue.