SandboxEscaper Drops Three More Windows Exploits, IE Zero-Day

windows zero-day sandbox escaper

As promised, developer SandboxEscaper has dropped exploit code for four more bugs, on the heels of releasing a Windows zero-day yesterday.

On the heels of releasing a Windows zero-day exploit on Wednesday, developer SandboxEscaper has dropped exploit code for four more flaws on Thursday morning.

On Wednesday, she dropped a Windows zero-day exploit that would allow local privilege-escalation (LPE), by importing legacy tasks from other systems into the Task Scheduler utility – and she promised four more unpatched bugs while she was at it.

SandboxEscaper held true to that promise, on Thursday releasing on GitHub the proof-of-concepts (PoCs) for another three Windows LPE flaws, and a sandbox-escape zero-day vulnerability impacting Internet Explorer 11. One of them however turns out to already be patched.

In a Thursday blog post, the developer confirmed that she had uploaded the remaining bugs:

Uploaded the remaining bugs.
I like burning bridges. I just hate this world.
ps: that last windows error reporting bug was apparently patched this month. Other 4 bugs on github are still 0days. have fun.

As she pointed out, one flaw for which exploit code was dropped on Thursday, a Windows Error Reporting (WER) bug (CVE-2019-0863), was actually patched earlier this month in Microsoft’s May Patch Tuesday fixes (acknowledgement was given to a Palo Alto Networks researcher and “Polar Bear,” an alias sometimes used by SandboxEscaper). That is an elevation-of-privilege vulnerability that exists in the way WER handles files, enabling an attacker to run arbitrary code in kernel mode; install programs; view, change or delete data; or create new accounts with administrator privileges.

The second flaw is a zero-day impacting Internet Explorer 11, which could enable bad actors to inject a dynamic link library (DLL) into Internet Explorer. The third is a bypass for a previously released patch addressing a Windows permissions-overwrite, privilege-escalation flaw (CVE-2019-0841). The bug exists because Windows AppX Deployment Service (AppXSVC) improperly handles hard links.

A final flaw is an “installer bypass” issue in Windows update, a demo for which was uploaded onto GitHub and is pasted below:

For this flaw, “there is still a race condition in the installer.\par,” said SandboxEscaper. “So there is a really small timing window to win a race, where if we set a junction after the check but before it writes the DACL [Discretionary Access Control List] we can still get our original PoC to work. Again, it’s a really small timing window, and while it appears to reliably reproduce on my setup…I don’t know if it will for yours. I’ve attached a procmon.exe log.”

Though SandboxEscaper released PoC demos for these last three flaws, researchers have not yet confirmed their validity.

The motivation for releasing exploit code without giving the vendor time to issue a patch is unclear, though earlier in the week, SandboxEscaper said she would like to sell the exploits to non-Western buyers for 60,000 in unspecified currency.

“Clearly she isn’t a fan of the west,” said Adam Kujawa, director of Malwarebytes Labs, speaking to Threatpost. “Her motivation may be political, however since she isn’t a reverse engineer and her ‘exploits’ are more privilege-escalation attacks than methods of infecting new systems (which make them far less dangerous than other exploits out there), I doubt she is a professional vulnerability hunter.  However, she is obviously financially motivated.”

SandboxEscaper has released fully functional Windows zero-days in the past: In August, for instance, she debuted another Task Scheduler flaw on Twitter, which was quickly exploited in the wild in a spy campaign just two days after disclosure.

In October, SandboxEscaper released an exploit for what was dubbed the “Deletebug” flaw, found in Microsoft’s Data Sharing Service (dssvc.dll). And towards the end of 2018 she offered up two more: The “angrypolarberbug,” which allows a local unprivileged process to overwrite any chosen file on the system; and a vulnerability allows an unprivileged process running on a Windows computer to obtain the content of arbitrary file – even if permissions on such file don’t allow it read access.

Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.

Suggested articles