A hacker has found a new way to break into the Windows 10 app security model. SandboxEscaper, who has been able to find three zero-day bugs in Windows over the past four months, has found another one. This is an error that makes it possible to overwrite files.
The security researcher published on the site GitHub proof-of-concept code with which pci.sys code is overwritten. That file is necessary for the physical hardware in a device and if it is not properly configured, a device cannot boot. Thanks to the bug, the file can be overwritten with arbitrary data, making a computer unusable.
Proof-of-concept
SandboxEscaper uses information about software and hardware problems that it collects via the Windows Error Reporting (WER) feedback infrastructure for the proof-of-concept code. The researcher states that its exploitation does not always work and will not have the same effect on every CPU.
For example, she was unable to repeat the bug on a device with only one CPU core. It may also take some time before the bug is actually exploited. According to SandBoxEscaper, the exploit is based on a certain circumstance in which Windows has to be. If this is not the case, the exploit will not get the desired outcome.
Will Dormann, a security analyst at CERT/CC, who could successfully exploit the bug in Windows 10 Home, build 17134, endorses this. According to Dormann, the bug can only be exploited a few times.
This latest 0day from SandboxEscaper requires a lot of patience to reproduce. And beyond that, it only *sometimes* overwrites the target file with data influenced by the attacker. Usually it's unrelated WER data.https://t.co/FnqMRpLy77 pic.twitter.com/jAk5hbr46a
— Will Dormann (@wdormann) December 29, 2018
But as CEO Mitja Kolsek of Acros Security makes clear: it doesn’t really matter if the bug is only successful one in a hundred times. If this one can be exploited, that’s a problem.
I haven't tried it out yet but if it's a local privilege escalation and you can check if exploit succeeded, I suppose it doesn't matter if it only works once in a hundred tries.
— Mitja Kolsek (@mkolsek) December 30, 2018
The exploit is the second SandboxEscaper to publicly announce this month. On 19 December she also published code that makes it possible to read certain files. At the end of August and October she published further exploits that made it possible to escalate privileges.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.