Right on the heels of a privilege escalation zero-day vulnerability for Windows 10 released yesterday, the same researcher has released exploit code for two more vulnerabilities today.
A security researcher named SandboxEscaper is known for dropping zero-day vulnerabilities and exploits for Microsoft. Just yesterday, the researcher released a local privilege escalation vulnerability that utilizes the Windows 10 Task Scheduler. When used, the vulnerability allows users gain permissions to files that they would normally not have.
Today, SandboxEscaper released code that exploits two more vulnerabilities; one local privilege escalation vulnerability in Windows Error Reporting (tracked as CVE-2019-0863) and a sandbox escape vulnerability for Internet Explorer 11.
The only reason given for releasing these vulnerabilities is the following post from SandboxEscaper’s blog.
“There’s two more bugs on github.
*** this *** industry. I don’t plan to make a career in it anyway.
I hate all the people involved in this industry.
Everyone just thinks they know better. Everyone just loves pointing fingers.
Bunch of apes.
At this point, users that have the latest security updates from Microsoft are safe against CVE-2019-0863, but the status for the IE 11 bug is unknown.
Internet Explorer 11 Sandbox Escape zero-day
Windows Error Reporting LPE bug
The second security issues tackled by SandboxEscaper is called AngryPolarBearBug2 and is a local privilege elevation vulnerability that exploits a bug in Windows Error Reporting. The flaw received a fix this month and credit for discovering and reporting is given to Gal De Leon of Palo Alto Networks and Polar Bear, which SandboxEscaper sometimes uses as an alias and is also the name of her GitHub repository with exploit code.
It does this by exploiting a race condition between two function calls in order to create a hardlink with elevated permission to a file of the attackers choice. This could allow the attacker to modify or delete a file they do not normally have access to.
In SandboxEscapers PoC, they state that when the exploit succeeds it will make the C:\Windows\System32\drivers\pci.sys writable by a non-admin, which is normally not the case as shown below.
If successful, the exploit will allow a normal user to delete the PCI.sys file.
The good news is that this vulnerability is not easy to exploit. According to SandboxEscaper, it can take up to 15 minutes for the exploit to trigger and even then it may not work.
It can take upwards of 15 minutes for the bug to trigger. If it takes too long, closing the program, cleaning out the reportarchive folder in programdata (it may mess up the timing if there’s too many reports in there as result of running our poc for too long), deleting the c:\blah folder.. etc.. might help.
“I guess a more determined attacker might be able to make it more reliable. It is just an insanely small window in which we can win our race, I wasn’t even sure if I could ever exploit it at all. “
SandboxEscaper also says that the exploit has a better chance of success with more powerful computers and even then it can take a long time to exploit.
“The race condition is incredibly hard to win. I havn’t tested on another setup.. but you definitely need multiple processor cores and you may have to wait minutes for it to work (It can take a really long time.. ). Anyway… in an LPE scenario time is not that much of an issue.”
BleepingComputer was not able to trigger this vulnerability using SandboxEscaper’s PoC.
Update [05.23.2019]: The AngryPolarBearBug2 bug is not a zero day. Security researcher Gal De Leon of Palo Alto Networks confirms that the exploit code is actually a proof-of-concept for CVE-2019-0863. De Leon is credited by Microsoft for reporting the bug, along with Polar Bear, which is the name Sandbox Escaper uses for her GitHub repo with exploit code.
SandboxEscaper released the exploit for CVE-2019-0863 (https://t.co/KZgdpeWBFr), also discovered by me 🙂
The race is quite difficult to win but possible, and it provides a primitive to overwrite the DACL of an arbitrary file.
— Gal De Leon (@galdeleon) May 23, 2019