After the release of code exploitation for two day zero weakness in Windows 10 over the last 48 hours, a security researcher and exploitation developer SandboxEscaper today has announced two more; bypass for the CVE-2019-0841 piece and PoC LPE takes advantage of Called InstallerBypass.
Two days ago, SandboxEscaper released another PoC to take advantage of a growing weakness in local privileges present in the Windows 10 Task Plan, resulting in an increase in privilege and enabling users to gain full control over files that would otherwise only be accessible to users. such as SYSTEM and TrustedInstaller.
SandboxEscaper yesterday dropped two other PoC destinations for weaknesses – a lack of escape in a sandbox in Internet Explorer 11 (zero days) and the vulnerability of local privileges that affect Windows Error Reporting (which has already been patched). .
The reason given for releasing these weaknesses is like this in a job from May 22 of a SandboxEscaper blog. Today, another job states that the last two bugs were the last: t
PoC escalating local privileges
SanboxEscaper found after the lack of intensification of local privileges (LPE) no-day dubbed in CVE-2019-0841-BYPASS after spotting that "still in the code prompted by CVE-2019-0841."
CVE-2019-0841 is a "Windows Vulnerability Windows Vision" which was patched during Patch updates Tuesday May 2019.
"A privilege vulnerability elevation exists when the Windows AppX Deployment Service (AppXSVC) deals inappropriately with hard links. An attacker who successfully exploited this vulnerability could successfully run processes in a high context. view, change or delete data. "
According to the researcher, this new vulnerability avoids Microsoft's CVE-2019-0841 piece and allows attackers to write the optional access control list (DACL) which "knows the trustees who are # 39; t have access to an object has been refused compensation or "& # 39 after exploitation; successfully.
As it describes the exploitation process: t
SandboxEscaper provides PoC operators in the PoCFiles folder in the CVE-2019-0841-BYPASS store, which can be used to test the vulnerability on shadow Windows machines.
A video demonstration of the concept test was also provided by the researcher on GitHub:
BleepingComputer compiled the PoC from source to target the current versions of Edge and was able to confirm that it would allow users to have full control over files after exploitation successfully as seen in the screenshots below .
LC PoC is difficult to reproduce
The other day PoC exploitation released by the researcher today and dubbed InstallerBypass is also for intensifying local vaccinations and can be used to drop binaries into a Windows system32 folder and run them with escalated privileges.
As SandboxEscaper says, "Could use it with malware, you could dramatically back the program. Maybe you can even transfer the quiet flag to hide UI installer and find Another way to trigger a roller (ie through an installer api, spray to medium IL etc). "
She also provides a detailed reproduction procedure that could be problematic due to a "very small timing window" and a video display of the zero day PoC in action: t