New Windows Zero-Day Flaw Dropped on Twitter

A new vulnerability affecting Windows 10 has been disclosed on Twitter before being patched and it allows attackers to delete system files or to replace sensitive libraries.

The vulnerability is located in the Windows Data Sharing Service (dssvc.dll) and was disclosed by a Twitter user using the handle SandboxEscaper. This is the same person who disclosed the Windows zero-day flaw in Task Scheduler in late August that later started being exploited by cybercriminals.

Like the Task Scheduler flaw, the new vulnerability can be used for privilege escalation, but exploitation is not straightforward. The proof-of-concept exploit released by SandboxEscaper on GitHub leverages the flaw to delete system files.

“Not the same bug I posted a while back, this doesn’t write garbage to files but actually deletes them.. meaning you can delete application dll’s and hope they go look for them in user write-able locations,” SandboxEscaper said. “Or delete stuff used by system services c:windowstemp and hijack them.”

The first suggestion refers to a technique called DLL hijacking or DLL planting. Developers design their programs to search for libraries in various folders on the system in a certain order, usually starting with the application’s main folder.

So, an attacker could leverage this vulnerability to delete a DLL file belonging to an application running with administrative privileges and then plant a DLL file with the same name in a directory that’s in the program’s library search path. When the targeted program attempts to load the library again it won’t find it in its own folder and will begin searching for it in other locations, eventually executing the attacker-provided file with administrative privileges.

The second exploitation technique is similar and involves replacing temporary files created by system services in c:windowstemp and then waiting for those services to execute the rogue files.

“There are probably other avenues,” as well, Mitja Kolsek, CEO of ACROS Security and cofounder of the 0patch.com service said on Twitter. ACROS confirmed the vulnerability on Windows 10 build 1507, Windows 10 build 1803 and Windows Server 2016 and created a free micropatch for it.

“It’s perhaps worth noting that the service used by the PoC, Data Sharing Service (dssvc.dll), does not seem to be present on Windows 8.1 and earlier systems,” Will Dorman, a vulnerability analyst at the Carnegie Mellon University’s CERT Coordination Center (CERT/CC), said on Twitter.

Privilege escalation vulnerabilities are valuable for attackers because they allow malware executed by users with limited privileges to take full control over compromised systems. The Windows Task Scheduler vulnerability, CVE-2018-8440, disclosed in August was quickly incorporated by attackers into their campaigns and was already being used in the wild when Microsoft patched it Sept. 12. Even though the new flaw is harder to exploit, there’s a high possibility that it will be abused before Microsoft’s next Patch Tuesday.

Magecart Card Skimming Group Probes Magento Shops for Zero-Day Flaws

A group of attackers known for injecting payment card skimming code into online shops has been probing Magento-based websites for unpatched vulnerabilities in a large number of extensions.

According to Dutch security researchers Willem de Groot who has been tracking the attacks, the hackers appear to have access to a list extensions vulnerable PHP Object Injection (POI).

“This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site,” de Groot said in a blog post. “With that, they are able to modify the database or any Javascript files. As of today, many popular PHP applications still use unserialize(). Magento replaced most of the vulnerable functions by json_decode() in patch 8788, but many of its popular extensions did not.”

Based on what he’s seen so far, de Groot believes the Magecart attackers have a list of more than 20 extensions that are vulnerable to POI and are actively scanning websites for their presence.

The researcher is still working through the malicious requests he’s seen trying to identify the exact extensions being targeted. His blog post contains a list of those identified so far and their patch status.

If an attack is successful, the attackers inject a fake credit card form that overlays the payments page. When users fill in their details and hit submit, the form disappears and users are left with the real payment page. Meanwhile, the stolen data is sent to a remote server.

De Groot’s blog post includes a method that Magento site owners can use to block all the malicious requests identified so far.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin