Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Microsoft Zero-Day Exploit Published Before Patch

Exploit Code Published After Disclosure Process Appears to Have Gone Sideways
Microsoft Zero-Day Exploit Published Before Patch
A security research known as "SandboxEscaper" has posted proof-of-concept exploit code for a Windows zero day flaw to GitHub.

Microsoft appears set to patch a zero-day local privilege escalation vulnerability that was publicly posted on Tuesday by a security researcher.

See Also: Is Cyberstorage the New Paradigm for Data Security?

The flaw has been tested and has been found valid. In order to use it, an attacker would have to already have access to a system.

Kevin Beaumont, a U.K.-based security researcher, writes in a blog post that "it's a really neat flaw, in particular how it is exploited."

Someone going by the handle @SandboxEscaper on Twitter found the flaw. Her tweets after posting the flaw indicated some sort of friction during the disclosure process.

She later tweeted: "Enjoy the 0day. It will get patched really fast. I guess I had fun today. Now I'm gone for a while, bye."

Unusual Release Timing

It's relatively rare these days for Windows vulnerabilities to be publicly released before Microsoft has issued a patch. Microsoft, as well as many other companies, offer bug bounties, or rewards, for information on software flaws.

But publicly disclosing the flaw usually disqualifies someone from earning a bug bounty. According to Microsoft's rules, detailed proof-of-concept code - such as the kind that SandboxEscaper posted - must be withheld until 30 days after Microsoft issues a patch.

On Aug. 25, SandboxEscaper tweeted a link to a video showing what happens when the flaw is exploited and said that Microsoft plans to patch it next month.

A video from SandboxEscaper showing the effect of the exploit.

It's possible that the publication of the video may have violated Microsoft's terms and conditions for bug rewards. The video was published on May 7.

Microsoft officials couldn't immediately be reach for comment, but the company tells the Register that it plans to issue an advisory to users about the problem shortly.

On Wednesday, however, SandboxEscaper said via Twitter: "I screwed up, not MSFT (they are actually a cool company)."

System-Level Access

SandboxEscaper has also posted proof-of-concept exploit code on GitHub. The vulnerability allows for local privileges to be escalated to system level due to a flaw within the Advanced Local Procedure Call, or ALPC, interface of the Windows task scheduler.

"The flaw is that the Task Scheduler API function SchRpcSetSecurity fails to check permissions," Beaumont writes in his blog post. "So anybody - even a guest - can call it and set file permissions on anything locally."

Someone using the vulnerability could be detected using Sysmon, one of Microsoft's monitoring and logging tools," he writes.

"If you use Microsoft Sysmon, look for spoolsv.exe spawning abnormal processes - it's a sure sign this exploit is being used (or another Spooler exploit)," Beaumont writes. "Similarly if you use Sysmon, look for connhost.exe (Task Scheduler) spawning under abnormal processes (e.g. the Print Spooler)."

CERT/CC at Carnegie Mellon University has issued a security advisory about the flaw. It says the exploit code works on 64-bit Windows 10 and Windows Server 2016 machines, according to Will Dormann, a vulnerability analyst with CERT/CC.

Dormann later wrote on Twitter that he "can confirm that with minor tweaks the public exploit code for the Windows Task Manager ALPC [vulnerability] works on 32-bit Windows 10 as well."

Dormann also wrote that disabling the Task Scheduler appears to block the exploit. But he cautioned that the approach requires system privileges and has the nasty side effect disabling Windows Update, Microsoft's patching tool.

"Not sure I can in good faith recommend," Dormann writes.

Several similar vulnerabilities have been found in the Windows Task Scheduler since 2004, says Allan Liska, a solutions architect with Recorded Future.

One potential way to mitigate the flaw would be to not let untrusted users run code, Liska says. But if an attacker gets access with user-level privileges, such as by using a browser remote code execution exploit, the mitigation won't work.

In the meantime, admins should look for malicious activity in the Task Scheduler and monitor the print spooler service (spoolsv.eve) for unusual processes. But Liska warns that minor tweaks to the proof-of-concept code could result in other services being called too.

Praise From Peers

It's unclear why SandboxEscaper opted to publicly publish the proof-of-concept code. Efforts to reach her were not successful.

On Aug. 27, a day before she posted the proof-of-concept code on Github, she wrote on Twitter: "I don't think a job in vuln research is going to happen for me anymore *packs her backpack and wanders off*."

But her vulnerability discovery has drawn substantial attention and compliments for technical acumen, including from the cybersecurity training company Hacker House.

"Hi would you be interested in talking with us @myhackerhouse? Where are you based?" said security researcher @hackerfantastic, aka Matthew Hickey, who's one of the firm's founders.

Many other people tweeted messages of support to SandboxEscaper, whose tweets from earlier this year pointed to personal issues related to social isolation and being transgender.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.