SandboxEscaper Debuts ByeBear Windows Patch Bypass

sandboxescaper byebear bug patch CVE-2019-0841 bypass

SandboxEscaper is back, with a second bypass for the recent CVE-2019-0841 Windows patch.

Guerrilla developer SandboxEscaper has disclosed a second bypass exploit for a patch that fixes a Windows local privilege-escalation (LPE) flaw — again without notifying Microsoft.

The exploit, dubbed “ByeBear,” enables attackers to get past the patch to attack a permissions-overwrite, privilege-escalation flaw (CVE-2019-0841), which exists because Windows AppX Deployment Service (AppXSVC) improperly handles hard links. It allows a local attacker to run processes in an elevated context, allowing them to then install programs, and view, change or delete data, according to Microsoft.

SandboxEscaper released her first bypass for the that patch (which was issued in April) two weeks ago, as part of a cache of four exploits, all published without following responsible disclosure guidelines.

In a Thursday Github write up for the exploit, SandboxEscaper said that she has discovered the second bypass by working on an exploit abusing the Microsoft Edge browser. According to her GitHub write up, the bypass can be carried out by deleting all files and subfolders within (“c:\\users\\%username%\\appdata\\local\\packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\”)and then launching Edge twice (it will crash the first time, she said).

“When we launch [Edge] a second time, it will write the DACL [discretionary access control list] while impersonating ‘SYSTEM,'” according to SandboxEscaper. “The trick here is to launch Edge by clicking it on the taskbar or desktop, using ‘start microsoft-edge:’ seems to result in correct impersonation.”

In a proof-of-concept video, SandboxEscaper demonstrated the attack.

SandboxEscaper claimed that this bug is not restricted just to Edge: “This will be triggered with other packages too,” she said on GitHub. “So you can definitely figure out a way to trigger this bug silently without having Edge pop up. Or you could probably minimize Edge as soon as it launches and close it as soon as the bug completes. I think it will also trigger by just launching Edge once, but sometimes you may have to wait a little.

“I didn’t do extensive testing.. found this bug and quickly wrote up a PoC, took me like two hours total, finding LPEs is easy,” she wrote.

According to Microsoft’s description of CVE-2019-0841, “To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.”

In late May, SandboxEscaper began dropping exploit code – first for a Windows zero-day exploit that would allow local privilege-escalation (LPE), by importing legacy tasks from other systems into the Task Scheduler utility. This particular flaw now has a micropatch, thanks to the 0patch organization.

Also revealed were a Windows Error Reporting (WER) bug (CVE-2019-0863), that was patched in Microsoft’s May Patch Tuesday fixes; a zero-day impacting Internet Explorer 11, which could enable bad actors to inject a dynamic link library (DLL) into Internet Explorer; and an “installer bypass” issue in Windows update.

Mitja Kolsek of 0patch told Threatpost earlier this week that the IE bug isn’t critical enough to warrant a micropatch, and the installer bypass flaw was not able to be reproduced – “[We] know of no one being successful at that (it could be just really difficult to reproduce, or depending on some external factors that were not present in our testing environment),” he said.

0patch is however working on a micropatch for the first CVE-2019-0841 bypass, and presumably will analyze this second one as well. 

SandboxEscaper said she’d like to sell these kinds of weapons for $60,000 to non-Western buyers (as of this writing, the exploit code has been removed from Github).  She has a history of releasing fully functional Windows zero-days. Last August, she debuted another Task Scheduler flaw on Twitter, which was quickly exploited in the wild in a spy campaign just two days after disclosure.

In October, SandboxEscaper released an exploit for what was dubbed the “Deletebug” flaw, found in Microsoft’s Data Sharing Service (dssvc.dll). And towards the end of 2018 she offered up two more: The “angrypolarberbug,” which allows a local unprivileged process to overwrite any chosen file on the system; and a vulnerability allows an unprivileged process running on a Windows computer to obtain the content of arbitrary file – even if permissions on such file don’t allow it read access.

Microsoft did not respond to a request for comment from Threatpost.

Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

Suggested articles