A Belgian security researcher just unleashed four Windows zero-days. (Well, five, except one was already fixed in this month’s Patch Tuesday.)
T. van Houtte, also known as SandboxEscaper, dropped her proofs-of-concept onto GitHub this week. So not really what you’d call “responsible” disclosure.
But at least she didn’t sell them to “enemies of the U.S.,” like she threatened. In today’s SB Blogwatch, we salute the polar bear.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: no no no no.
What’s the craic? Lindsey O’Donnell—“SandboxEscaper Drops [Four] Zero-Days”:
On the heels of releasing a Windows zero-day exploit on Wednesday, developer SandboxEscaper has dropped exploit code for four more flaws. … On Wednesday, she dropped a Windows zero-day exploit that would allow local privilege-escalation (LPE). [And today] releasing on GitHub the proof-of-concepts (PoCs) for another three Windows LPE flaws, and a sandbox-escape zero-day vulnerability impacting Internet Explorer 11. One of them however turns out to already be patched.
One flaw … a Windows Error Reporting (WER) bug (CVE-2019-0863), was actually patched earlier this month. … The second flaw is a zero-day impacting Internet Explorer 11, which could enable bad actors to inject a dynamic link library (DLL). … Third is a bypass for a previously released patch addressing a Windows permissions-overwrite, privilege-escalation flaw (CVE-2019-0841). … A final flaw is an “installer bypass” issue in Windows update.
Yikes. Chris Williams adds, “Bug-hunter reveals another ‘make me admin’ Windows 10 zero-day”:
[They were] revealed on Microsoft-owned GitHub, funnily enough, by a pseudonymous netizen. … She has previously dropped Windows zero-days that can be exploited to delete or tamper with operating system components, elevate local privileges, and so on.
To be generous to Microsoft, privilege escalation flaws are a dime a dozen in Windows: the software giant patches them every month in its operating system. … Spokespeople for Microsoft declined to comment.
What’s her motivation? Davey Winder calls her a “Rogue Security Researcher With Grudge Against FBI”:
Yesterday [she said] she had four more zero-days that were up for sale to non-western buyers. … Those zero-day exploit bombs have now been dropped into the public domain instead.
What exactly is motivating SandboxEscaper? [It] doesn’t seem to be financial. … Given their relatively low threat impact … the exploits … probably wouldn’t be worth a fortune in bug bounties.
The real reasoning [is] not subtle. … The motivation would seem to be getting back at the U.S. for a perceived injustice.
It’s not just the FBI and the U.S. that are on the receiving end of this apparent hatred, some of it is reserved for the information security industry itself.
But what’s with the polar bear? Here’s Jkvr. van Houtte to explain:
I don’t know how this life thing works. … I don’t know where to go from here.
I’m a polar bear. Polar bears are solitary beings. They wander the ice alone, in the cold winter night.
I’m donating all my work to enemies of the U.S. … If any non-western people want to buy LPEs, let me know. … Won’t sell for less than 60k for an LPE.
I have most definitely given portions of my work to people who hate the US. That’s what happens when the FBI subpoenas my Google acc and intrudes my privacy. … An eye for an eye.
I’m going to disappear into the Arctic wilderness. … I just really hate people. … I hope the Arctic will make me happy.
[I] uploaded the remaining bugs. I like burning bridges. … 4 [of the] bugs on github are still 0days. Have fun.
Is this somehow Microsoft’s fault? Alan Mackenzie sounds sympathetic:
Just being a decent human being doesn’t pay the rent, nor buy food. I don’t know, but I’m guessing that finding these vulnerabilities takes weeks and months of research.
Couple that with the fact that much of this research will be speculative and yield no fruit. Maybe it’s Microsoft and friends who should start “acting like grown ups” and start paying these researchers properly for their results.
Anyone else want to pile on? Pier Reviewer thinks about the “Bug class”:
All of [SandboxEscaper’s] vulns have been of the same class. That’s not a dig at SBE. That’s a dig at [Microsoft].
When you find a vuln, the best thing to do is assume they’ve screwed up in the same way more than once and go looking for the same mistake elsewhere in the code. It’s a very efficient method.
The first bug that was dropped was a fair while ago, and sounded like it could well be endemic. MS, with source code home advantage should have gone to town finding where else the same type of mistake had crept in and fixed it. Instead, we have this.
OK, OK, back to the ’sploits. Will Dormann—@wdormann—digs into the first PoC:
I can confirm that this works as-is on a fully patched (May 2019) Windows 10 x86 system. A file that is formerly under full control by only SYSTEM and TrustedInstaller is now under full control by a limited Windows user. Works quickly, and 100% of the time in my testing.
Also 64-bit Windows 10, if you’re not afraid to compile your own code. … I haven’t been able to repro on Win8 or Win7 [or] Server 2012. … It’s not immediately clear yet if the PoC needs to be tweaked to work against older Windows builds, or if this is some sort of regression that only affects Windows-10-based OSes.
Windows Server 2016 and 2019 are also affected, but that shouldn’t surprise anybody. Those server editions are basically the Windows 10 product, with more stuff added.
Versions of Windows older than 10 are vulnerable, in that the Task Scheduler is impersonating SYSTEM (instead of user) when setting file ACLs. … Definitely not a home run like with Windows-10-based systems, but still a vul.
And Gob Smacked makes this amateur diagnosis:
[I] guess she has Aspergers syndrome. … Asperger people can be great contributors to society, but they often can’t deal with people around them and need much personal space.
Often being bullied in early life gets these kind of results. But under all the hard talk, most Aspergers just want to be good people.
Meanwhile, @fouroctets makes 32 bits: [You’re fired—Ed.]
Would you look at this. No hype. No logos just … zeroday.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or email@example.com. Ask your doctor before reading. Your mileage may vary. E&OE.