A previously unknown vulnerability that allows attackers to obtain SYSTEM privileges on Windows computers has been publicly disclosed.
Someone with the username SandboxEscaper posted a link to a proof-of-concept exploit on Twitter and then deleted their account. The exploit is still available on GitHub and has been confirmed to work on a fully patched 64-bit Windows 10 system by Will Dormann, a vulnerability analyst at Carnegie Mellon University’s CERT Coordination Center (CERT/CC).
According to CERT/CC’s analysis, the flaw is located in the Microsoft Windows task scheduler and can be exploited through the Advanced Local Procedure Call (ALPC) interface that allows different processes to communicate with each other.
The exploit can be used to gain full control over a computer from an account with limited privileges. For example, it can be used by malware that has been executed from a regular user account or can be combined with other exploits. On its own, the exploit is not enough to compromise a system remotely without user interaction.
There is currently no patch for the vulnerability, which makes it a zero-day, and Microsoft’s next Patch Tuesday is scheduled for Sept. 11. It remains to be seen if the company will break out of its regular patching cycle to release an out-of-band update, something that has only historically been done for critical and actively exploited vulnerabilities.
“CERT/CC is currently unaware of a practical solution to this problem,” CERT/CC said in its analysis.
Attackers Start Exploiting Recently Patched Apache Struts Vulnerability
Attackers have started exploiting a recently patched critical vulnerability that affects the widely used Apache Struts web development framework and can lead to remote code execution.
The vulnerability, tracked as CVE-2018-11776, was found by researchers from code analysis firm Semmle and was fixed last week. Within days, proof-of-concept exploit code was released on GitHub, along with a Python script that makes exploitation easy.
Threat intelligence firm Recorded Future reported Friday that it detected “chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability.”
By Monday, security firm Volexity had already started seeing active attacks targeting the flaw in the wild and installing the CNRig cryptocurrency miner. The observed exploitation attempts came from Russian and French IP addresses.
If the exploit succeeds, it will download and execute malicious Linux binaries built for three different CPU architectures: Intel, ARM and MIPS, the Volexity researchers said. This suggests that the malware will work on a wide range of hardware, including servers, desktops, laptops and even embedded devices.
Apache Struts is very popular in enterprise environments, which makes it an attractive target for attackers. Most critical vulnerabilities found in the platform over the years have been followed by widespread attacks and one of them even led to the massive data breach suffered last year by Equifax.
“It is critical that organizations remain diligent, ensuring this software is updated quickly when new patches are released or otherwise limiting external access to websites leveraging it,” the Volexity researchers said in a blog post. “Although the main payload for Apache Struts exploits appears to be cryptocurrency miners, failure to patch also leaves an organization open to significant risk that goes beyond cryptomining. This is made evident through large breaches, such as the Equifax hack that took place due to servers running an un-patched (sic) version of the Apache Struts framework. Volexity has also observed multiple APT group leveraging Apache Struts vulnerabilities to gain access to target networks.”
Companies should check their internal and external web applications and make sure they’re running the patched Apache Struts 2.3.35 or 2.5.17 versions, depending on which branch they use.