New Microsoft unpatched Zero-day bug exposed in online again along with proof-of-concept(PoC) by the same security researcher who has previously leaked another critical zero-day vulnerability in Twitter.
Twitter name SandboxEscaper, A security researcher famous for leaking Zero-day bugs online along with PoC and now she exposed second Microsoft Zero-day bug.
Also she said, “Not the same bug I posted a while back, this doesn’t write garbage to files but actually deletes them.. meaning you can delete application dll’s and hope they go look for them in user write-able locations. Or delete stuff used by system services c:\windows\temp and hijack them.”
This Vulnerability referred as a Deletebug and it allows non-admins to delete any file by abusing a new Windows service not checking permissions again.
Experts who have analyzed this bug believes that once
@SandboxEscaper‘s deletebug.exe deletes pci.sys on the computer, you can no longer restart it so make sure you test on a virtual machine that you can revert to a state before you ran deletebug.exe.
Btw, once @SandboxEscaper's deletebug.exe deletes pci.sys on the computer, you can no longer restart it so make sure you test on a virtual machine that you can revert to a state before you ran deletebug.exe. pic.twitter.com/bsQ2NNVnXS
— Mitja Kolsek (@mkolsek) October 23, 2018
Mitja Kolsek, Co-founder of 0patch said, This Unpatched Zero-day exactly affecting data sharing service (dssvc.dll)which is only presented in exist on Windows 10 / Server 2016 but not on Windows 7 And Windows 8.
“The Internet seems to know that it crashes a lot and it describes itself as “Provides data brokering between applications.”
Kevin Beaumont who analyzed this Zero-day believes that the current Zero-day that she exposed will only work in Windows 10 and Server 2016 and 2019.
So this works. Windows 10 and Server 2016 (and 2019) only. It’s similar to Task Scheduler exploit, it allows non-admins to delete any file by abusing a new Windows service not checking permissions again. https://t.co/q45Qj3DGSS
— Kevin Beaumont (@GossiTheDog) October 23, 2018
Since this Unpatched Zero-day bug published along with the PoC helps for attackers who can use this PoC to delete OS files and replace the malicious files.
In this case, 0patch released a micropatch candidate for this Unpatched Zero-day, currently working on fully updated Windows 10 1803 that help to stop exploiting the unpatched windows zero-day bugs untill it gets patched by Microsoft.
7 hours after the 0day in Microsoft Data Sharing Service was dropped, we have a micropatch candidate that successfully blocks the exploit by adding impersonation to the DeleteFileW call. As you can see, the Delete operation now gets an "ACCESS DENIED" due to impersonation. pic.twitter.com/qoQgMqtTas
— 0patch (@0patch) October 23, 2018
We hope Microsoft already aware of this bug and possibly the patch will be released in next Microsoft Security updates. Kindly Stay tuned, we will update you with more details about this Zeroday bug soon.