A proof-of-concept exploit for a Windows zero-day that works on fully patched Windows 10 machines has been released by a security researcher. It allows an attacker to delete any kind of file on a victim machine, including system data.
The flaw (no CVE has been assigned since it was just exposed on Wednesday) is an elevation-of-privilege zero-day vulnerability in Microsoft’s Data Sharing Service (dssvc.dll). This is a local service that runs as a LocalSystem account with extensive privileges, and enables data to be brokered between applications.
According to SandboxEscaper, who released the PoC, the bug allows an adversary to delete application libraries (DLL files) – which means that the affected applications will then go look for their libraries elsewhere. If an application finds its way to a user-writeable location, it gives an attacker an opportunity to upload his or her own malicious library, resulting in machine compromise.
Mitja Kolsek, cofounder of 0patch (which has released a micropatch for the issue), detailed the privilege escalation potential for Threatpost. “Even a low-privileged user can make a request to this service for an undocumented function (only Microsoft and possibly a few outsiders know what this function does), and this function checks whether the requesting user has permissions to create a file in a chosen location,” he explained. “In order to do so, it ‘impersonates’ the requesting user, tries to create an empty file, remembers whether this file creation succeeded and then deletes the file. The problem is that is stops impersonating the user too soon, causing said file deletion to be performed as the system user instead of the requesting low-privileged user.”
The flaw can thus open the door to a range of bad activities. “This could be exploited to facilitate lateral movement within an organization or even potentially destructive purposes – such as deletion of key system files, rendering a system inoperable,” Tom Parsons, head of research at Tenable, said in an emailed breakdown.
To the latter point, in the POC, a program that SandboxEscaper dubbed “Deletebug.exe” deletes a system file – pci.sys – on the target computer, which means a user can no longer restart it. The machine is rendered unbootable.
“What the proof-of-concept does, in simple terms, is it calls [the] function in Data Sharing Service, telling it to perform an operation on file pci.sys in some temporary folder and waits for this file to get created, then it promptly remaps said file to pci.sys in the system folder (where the user wouldn’t be able to delete it),” Kolsec explained. “As a result, the system file gets deleted.”
Will Dormann, vulnerability analyst at CERT/CC, and Kolsec both confirmed the vulnerability and were able to exploit it on fully patched and updated Windows 10 machines. Via Twitter, Dormann added that Data Sharing Service does not seem to be present on Windows 8.1 and earlier systems.
Researcher Kevin Beaumont confirmed the exploit as working on “Windows 10 and Server 2016 (and 2019) only.” He added that it “allows non-admins to delete any file by abusing a new Windows service not checking permissions again.”
“It reportedly affects the very latest versions of Microsoft operating systems and not older ones, so users may have wrongly assumed they were more secure,” said Parsons. “In addition, given that it affects both server and client operating systems, and with Windows 10 the second-most prevalent MS desktop/client OS after Windows 7, will also make this attractive to attackers.”
However, don’t expect a raft of attacks incorporating the exploit beyond disabling the machine just quite yet: as SandboxEscaper describes, the bug is “low-quality” and a “pain to exploit.”
https://twitter.com/SandboxEscaper/status/1054744201244692485
Tenable’s Parsons elaborated: “To put the threat into perspective, an attacker would already need access to the system or to combine it with a remote exploit to leverage the vulnerability,” he said.
“Even with access to the target machine, “so far we haven’t found a generic way to exploit this for arbitrary code-execution (bricking the machine is trivial),” Kolsec told Threatpost. “If a non-admin local attacker can write to any folder in the PATH environment variable (which would almost surely already be a security issue by itself), they could delete a DLL and plant a malicious copy there to get it executed the next time some privileged process needs it. However, I expect better attack vectors will likely be found.”
Beaumont also weighed in on the exploitability, noting that meaningful exploitation would take some doing:
https://twitter.com/GossiTheDog/status/1054850053746159616
While Microsoft has not yet commented on the bug, 0Patch’s micropatch for the flaw “successfully blocks the exploit by adding impersonation to the DeleteFileW call… the Delete operation now gets an “ACCESS DENIED” due to impersonation.”
7 hours after the 0day in Microsoft Data Sharing Service was dropped, we have a micropatch candidate that successfully blocks the exploit by adding impersonation to the DeleteFileW call. As you can see, the Delete operation now gets an "ACCESS DENIED" due to impersonation. pic.twitter.com/qoQgMqtTas
— 0patch (@0patch) October 23, 2018
If SandboxEscaper sounds familiar, it’s because the bug-hunter also disclosed a zero-day in August that made waves, in Windows Task Scheduler. Microsoft patched it in September’s Patch Tuesday.