Sunday , March 29 2020
Home / unitedkingdom / Two More Windows 10 Expansion PoC Day Zero-Day is released, bringing total to 4

Two More Windows 10 Expansion PoC Day Zero-Day is released, bringing total to 4



Two More Windows 10 Expansion PoC Day Zero-Day is released, bringing total to 4

After the release of code exploitation for two day zero weakness in Windows 10 over the last 48 hours, a security researcher and exploitation developer SandboxEscaper today has announced two more; bypass for the CVE-2019-0841 piece and PoC LPE takes advantage of Called InstallerBypass.

Two days ago, SandboxEscaper released another PoC to take advantage of a growing weakness in local privileges present in the Windows 10 Task Plan, resulting in an increase in privilege and enabling users to gain full control over files that would otherwise only be accessible to users. such as SYSTEM and TrustedInstaller.

SandboxEscaper yesterday dropped two other PoC destinations for weaknesses – a lack of escape in a sandbox in Internet Explorer 11 (zero days) and the vulnerability of local privileges that affect Windows Error Reporting (which has already been patched). .

The reason given for releasing these weaknesses is like this in a job from May 22 of a SandboxEscaper blog. Today, another job states that the last two bugs were the last: t

The remaining bugs were uploaded.

I like burning bridges. I hate this world only.

ps: It's probably the last bug reporting window bug has been patched this month. 4 other bugs on github are 0days long. Have fun.

PoC escalating local privileges

SanboxEscaper found after the lack of intensification of local privileges (LPE) no-day dubbed in CVE-2019-0841-BYPASS after spotting that "still in the code prompted by CVE-2019-0841."

CVE-2019-0841 is a "Windows Vulnerability Windows Vision" which was patched during Patch updates Tuesday May 2019.

"A privilege vulnerability elevation exists when the Windows AppX Deployment Service (AppXSVC) deals inappropriately with hard links. An attacker who successfully exploited this vulnerability could successfully run processes in a high context. view, change or delete data. "

According to the researcher, this new vulnerability avoids Microsoft's CVE-2019-0841 piece and allows attackers to write the optional access control list (DACL) which "knows the trustees who are # 39; t have access to an object has been refused compensation or "& # 39 after exploitation; successfully.

As it describes the exploitation process: t

If you create the following: t

(GetFavDirectory () gets the local appdata folder, fyi)

CreateDirectory (GetFavDirectory) + L packages Microsoft.MicrosoftEdge_8wekyb3d8bbwe Microsoft.MicrosoftEdge_44.17763.1.0_neutral__8wekyb3d8bbwe ", NULL);
CreateNativeHardlink (GetFavDirectory) + L packages Microsoft.MicrosoftEdge_8wekyb3d8bbwe Email: Microsoft.MicrosoftEdge_44.17763.1.0_neutral__8wekyb3d8bbwe Email3.3.mp3 ", L" C: Windows Windows win.ini ");

If we create that directory and put a hard link in it, it will write the DACL.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! IMPORTANT !!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!
Microsoft.MicrosoftEdge_44.17763.1.0_neutral__8wekyb3d8bbwe this part must reflect the edge version that has to be installed right now.
You can find this by opening settings -> and scroll down.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! IMPORTANT !!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!

SandboxEscaper provides PoC operators in the PoCFiles folder in the CVE-2019-0841-BYPASS store, which can be used to test the vulnerability on shadow Windows machines.

A video demonstration of the concept test was also provided by the researcher on GitHub:

BleepingComputer compiled the PoC from source to target the current versions of Edge and was able to confirm that it would allow users to have full control over files after exploitation successfully as seen in the screenshots below .

User consents before and after the PoC is implemented
Operate the Poc

LC PoC is difficult to reproduce

The other day PoC exploitation released by the researcher today and dubbed InstallerBypass is also for intensifying local vaccinations and can be used to drop binaries into a Windows system32 folder and run them with escalated privileges.

As SandboxEscaper says, "Could use it with malware, you could dramatically back the program. Maybe you can even transfer the quiet flag to hide UI installer and find Another way to trigger a roller (ie through an installer api, spray to medium IL etc). "

She also provides a detailed reproduction procedure that could be problematic due to a "very small timing window" and a video display of the zero day PoC in action: t


Source link