Sunday, January 26, 2025
HomeExploitHacker Leaked New Windows 10 Zero-day Exploit Online To Bypass Already Patched...

Hacker Leaked New Windows 10 Zero-day Exploit Online To Bypass Already Patched Bug

Published on

SIEM as a Service

Follow Us on Google News

SanboxEscaper, an anonymous hacker came back and leaked an another Windows zero-day PoC that exploits already patched (CVE-2019-0841) local privilege escalation vulnerability that resides in Windows 10.

This is a second zero-day that bypass CVE-2019-0841, An elevation of privilege vulnerability exists when Windows AppX Deployment Service improperly handles hard links. and the vulnerability has been already patched by Microsoft in April.

SandboxEscaper, a pseudonym of a widely known anonymous hacker who has actively leak windows based zero-day exploit online since August 2018 (1, 2, 3, 4, 5, 6), and this is ninth zero-day leak since August 2018.

An attacker who successfully exploited this vulnerability (CVE-2019-0841) could run processes in an elevated context., In result, threat actor installs malicious programs view, change or delete data.

Exploit The 0day with Edge

SanboxEscaper explains (GitHub repository removed now), the vulnerability can be triggered by deleting all files and subfolders within the location of Edge browser where she pointed below.

"c:\\users\\%username%\\appdata\\local\\packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\" 

Firstly, we need to perform the deleting process as a local user account. so, when user launch the Edge, it will end up to crash the browser. but, when a local user launches it a second time, it causes to write the Discretionary Access Control List (DACL) while impersonating “SYSTEM.”

Arbitrary DACL writes allow a low-privileged user to change the system permissions, eventually gains complete control of the systems admin access.

SandboxEscaper explains the following process via her GitHub repository.

The trick here is to launch edge by clicking it on the taskbar or desktop, using “start microsoft-edge:” seems to result in correct impersonation.\par

You can still do this completely programmatically.. since edge will always be in the same position in the task bar.. *cough*
sendinput *cough*.

There
is probably other ways too.\par

\b Another note, this bug is most definitely not restricted to
edge. This will be triggered with other packages too. So you can definitely figure out a way to trigger this bug silently without having edge pop up. Or you could probably minimize edge as soon as it launches and close it as soon as the bug completes. I think it will also trigger by just launching edge once, but sometimes you may have to wait a little. I didn’t do extensive testing..

She also said that it took only 2 hours total to found this bug and quickly wrote up a PoC, LPEs is easy.

Will Dormann, Vulnerability Analyst at the CERT/CC, says, ” I’ve confirmed that this works on a fully-patched (latest May updates) Windows 10 (1809 and 1903) system. This exploit allows a normal desktop user to gain full control of a protected file.”

She also recommends that “Make sure you have multiple cores in your VM (not multiple processors, multiple \b cores\b0 ).\par. It’s going to increase the thread priority to increase our odds of winning the race condition that this exploits”

To be clear, an attacker would first have to log on to the system as a local user and then run this exploit (GitHub) to trigger this vulnerability and take control of the vulnerable system.

This is not a final Zero-day in her row, ” I have one more 0day.” says in her blog post.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...