A security researcher released exploit code for an unpatched bug in Windows that could allow an attacker with limited privileges to delete system files.
Exploiting the bug requires winning a race condition on the machine, so a successful exploit can take some time as it will retry until it succeeds, the researcher who uses the online handle SandboxEscaper said in the release notes.
This is the fourth Windows zero-day vulnerability publicly disclosed by SandboxEscaper in the past four months and the second in December.
Two weeks ago, the researcher published details about a vulnerability that could be exploited from a limited account to read files that shouldn’t normally be accessible to that account. That flaw could lead to sensitive information disclosure.
The new bug can be used to crash systems by deleting critical system files. For example, the researcher’s proof-of-concept exploit deletes a file called pci.sys that’s required during the boot process.
In the release notes, SandboxEscaper also speculates that the vulnerability could potentially be used to disable antivirus programs by deleting their components. If true, it can prove useful to attackers who gain a foothold on a computer to ensure that their secondary malicious payloads are not detected and blocked.
“This latest 0day from SandboxEscaper requires a lot of patience to reproduce,” Will Dormann, an analyst with the CERT Coordination Center (CERT/CC), said on Twitter. “And beyond that, it only *sometimes* overwrites the target file with data influenced by the attacker.”
However, the exploit’s reliability problems don’t seem to matter too much, as long as the attacker has virtually unlimited retries to win the race condition and can check the result.
“I haven’t tried it out yet but if it’s a local privilege escalation and you can check if exploit succeeded, I suppose it doesn’t matter if it only works once in a hundred tries,” said Mitja Kolsek, CEO of ACROS Security and co-founder of the 0patch.com micropatching service.
This time around, SandboxEscaper claims to have emailed details of the bug to Microsoft ahead of the disclosure, but only by a couple of days, to “give them a headstart.”
Microsoft’s next Patch Tuesday is Jan. 8 and it’s unlikely that the company will release a patch for this vulnerability until then. Microsoft only releases out-of-band patches for critical vulnerabilities that are already exploited in the wild, as it did recently for a vulnerability in Internet Explorer reported by Google.
This bug doesn’t appear to meet those criteria yet, but the first zero-day exploit released by SandboxEscaper back in August—a privilege escalation flaw in Windows Task Scheduler—was quickly adopted by hackers and was used in real-world attacks.
EU Will Sponsor Bug Bounties for 14 Open Source Projects
The European Commission has allocated around 851,000 euros (more than $973,000) to sponsor bug bounty programs for 14 open source software projects that are used by European Union institutions.
This is a continuation of the Free and Open Source Software Audit (FOSSA) project initiated by the EU Parliament and European Commission in 2014 to provide code audits for the Apache web server and KeePass password manager.
This second phase involves funding bug bounty programs and began in November 2017, with a pilot program for VLC media player. Now the commission has extended it to 14 other projects: 7-zip, the GNU C Library (glibc), Drupal, the Filezilla FTP client, KeePass, Notepad++, Apache Kafka, PuTTY, FLUX TL, Digital Signature Services (DSS), PHP Symfony, Apache Tomcat, WSO2 and midPoint.
Some of the bounty programs will run through the HackerOne platform, while others through Intigriti. The covered projects were selected as a result of a public survey and an inventory of open-source software used by the EU institutions.