PoC Exploits Released for Two More Windows Vulnerabilities

Right on the heels of a privilege escalation zero-day vulnerability for Windows 10 released yesterday, the same researcher has released exploit code for two more vulnerabilities today.

A security researcher named SandboxEscaper is known for dropping zero-day vulnerabilities and exploits for Microsoft. Just yesterday, the researcher released a local privilege escalation vulnerability that utilizes the Windows 10 Task Scheduler. When used, the vulnerability allows users gain permissions to files that they would normally not have.

Today, SandboxEscaper released code that exploits two more vulnerabilities; one local privilege escalation vulnerability in Windows Error Reporting (tracked as CVE-2019-0863) and a sandbox escape vulnerability for Internet Explorer 11.

The only reason given for releasing these vulnerabilities is the following post from SandboxEscaper's blog.

At this point, users that have the latest security updates from Microsoft are safe against CVE-2019-0863, but the status for the IE 11 bug is unknown.

Internet Explorer 11 Sandbox Escape zero-day

The first vulnerability released today could allow an attacker to inject a DLL into a specified Internet Explorer 11 process. When the injection works, it will open a filepicker and an HTML page that contains JavaScript.

When right-clicking on the filepicker, you can see that the exploit disabled Internet Protected Mode. This means that the JavaScript would have run under this lower security context.

Windows Error Reporting LPE bug

The second security issues tackled by SandboxEscaper is called AngryPolarBearBug2 and is a local privilege elevation vulnerability that exploits a bug in Windows Error Reporting. The flaw received a fix this month and credit for discovering and reporting is given to Gal De Leon of Palo Alto Networks and Polar Bear, which SandboxEscaper sometimes uses as an alias and is also the name of her GitHub repository with exploit code.

It does this by exploiting a race condition between two function calls in order to create a hardlink with elevated permission to a file of the attackers choice. This could allow the attacker to modify or delete a file they do not normally have access to.

In SandboxEscapers PoC, they state that when the exploit succeeds it will make the C:WindowsSystem32driverspci.sys writable by a non-admin, which is normally not the case as shown below.

If successful, the exploit will allow a normal user to delete the PCI.sys file.

The good news is that this vulnerability is not easy to exploit. According to SandboxEscaper, it can take up to 15 minutes for the exploit to trigger and even then it may not work.

SandboxEscaper also says that the exploit has a better chance of success with more powerful computers and even then it can take a long time to exploit.

"The race condition is incredibly hard to win. I havn't tested on another setup.. but you definitely need multiple processor cores and you may have to wait minutes for it to work (It can take a really long time.. ). Anyway... in an LPE scenario time is not that much of an issue."

BleepingComputer was not able to trigger this vulnerability using SandboxEscaper's PoC.

Update [05.23.2019]: The AngryPolarBearBug2 bug is not a zero day. Security researcher Gal De Leon of Palo Alto Networks confirms that the exploit code is actually a proof-of-concept for CVE-2019-0863. De Leon is credited by Microsoft for reporting the bug, along with Polar Bear, which is the name Sandbox Escaper uses for her GitHub repo with exploit code.

SandboxEscaper released the exploit for CVE-2019-0863 (https://t.co/KZgdpeWBFr), also discovered by me 🙂
The race is quite difficult to win but possible, and it provides a primitive to overwrite the DACL of an arbitrary file.

— Gal De Leon (@galdeleon) May 23, 2019

Comments are closed.