Over the past couple of days, the security researcher who goes by the pseudonym SandboxEscaper has released several Microsoft Windows vulnerabilities to the public with no prior notice given to Microsoft. The researcher has developed a reputation amongst the InfoSec community for releasing vulnerabilities to the public, in particular, Windows vulnerabilities, without informing the software producer or giving prior notice as is seen as a good practice amongst researchers.
The first of the flaws published on May 22, can be classified as a local privilege escalation (LPE) zero-day. LPE can be seen as exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. It is important to note that when exploited such flaws cannot be used to break into a system. Rather hackers can use them at later stages in their attacks to elevate their access on compromised hosts from low-privileged to admin-level accounts. In this instance, the flaw resides in the Windows Task Scheduler process. In order to exploit it the attacker would need to run .job file which has been malformed to change the discretionary access control list (DACL), this is the system which limits who has access to a file, in the Task Scheduler. If correctly done the attacker can raise their privileges on the system from a low level to that of an admin. Once this is done the attacker would be granted access to the entire system.
The second zero-day is a vulnerability in the Windows Error Reporting service that SandboxEscaper said it can be exploited via a carefully placed DACL. SandboxEscaper was named the vulnerability “AngryPolarBearBug2” after a similar zero-day she discovered in the same Windows Error Reporting service last December, and named “AngryPolarBearBug.” This bug can take up to 15 minutes to exploit correctly, meaning that it might not appeal to hackers to use when simpler easier options are available to exploit.
Again, like the first, this flaw can be classified as an LPE as if correctly exploited the attacker access to files, including the ability to edit them, they would not normally have. The third zero-day published impacts Internet Explorer 11. This vulnerability could allow attackers to inject malicious code in Internet Explorer. According to ZDNet this zero-day is not remotely exploitable, but can only be used to neuter security protections in IE for subsequent attacks, and should be considered a low-impact issue.
Previously Published Flaws and their Impact
In 2018 SandboxEscaper released four flaws to the public one of which was seen being exploited in the wild two days after publishing her findings. That flaw affects the Advanced Local Procedure Call (ALPC) interface of the Windows Task Scheduler. Malicious actors with local access to the targeted device can exploit the flaw to escalate privileges to the targeted system by overwriting files that should normally be protected by filesystem access control lists. These control lists can be seen as the file system which specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. For example, the file system would work similar to this, if a file object has an ACL that contains (Alice: read, write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it. Like the above two LPEs, this flaw would also allow an attacker raised privileges to access and edit files only a system admin would have access to. Researchers at ESET discovered that this vulnerability was being exploited by the threat group PowerPool, shortly after SandboxEscaper published her findings. The discovered flaw was leveraged in attacks against users in the United States, the United Kingdom, Germany, Ukraine, Chile, India, Russia, the Philippines, and Poland in what seems to be highly targeted attacks. The attack was not sophisticated according to researchers at ESET, however, they did conclude that,
“This specific campaign targets a limited number of users, but don’t be fooled by that: it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available,”
This case clearly showed the dangers of releasing flaws to the public without following best practices. By publically releasing the flaws Windows users are placed at risk. One of the reasons there is a co-ordinated vulnerability disclosure procedure exists is to prevent his scenarios from happening and help mitigate the risk to users by hackers and other threat groups. Normally, companies are informed first of the vulnerability and given a period of time to develop and release a patch. If the company ignores the flaw or misses the deadline then researchers can go to the public with their findings. SandboxEscaper has earned a reputation of going straight to the public rather than following best practices followed by much of the community. What’s more, is that according to her blog she has uncovered two more Windows vulnerabilities and will probably release those to the public as was done before. Microsoft has been quick to release patches for the publically disclosed flaws in the past and it is foreseeable that these flaws will receive a patch next patch Tuesday, scheduled for June 11. It can only be hoped that they are not serious and of relatively low impact as not to draw hackers and other threat groups’ attention.