Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Microsoft Zero-Day Exploit Published Before Patch
Exploit Code Published After Disclosure Process Appears to Have Gone SidewaysMicrosoft appears set to patch a zero-day local privilege escalation vulnerability that was publicly posted on Tuesday by a security researcher.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
The flaw has been tested and has been found valid. In order to use it, an attacker would have to already have access to a system.
Kevin Beaumont, a U.K.-based security researcher, writes in a blog post that "it's a really neat flaw, in particular how it is exploited."
Someone going by the handle @SandboxEscaper on Twitter found the flaw. Her tweets after posting the flaw indicated some sort of friction during the disclosure process.
She later tweeted: "Enjoy the 0day. It will get patched really fast. I guess I had fun today. Now I'm gone for a while, bye."
Enjoy the 0day. It will get patched really fast. I guess I had fun today. Now I'm gone for a while, bye.
— SandboxEscaper (@SandboxEscaper) August 27, 2018
Unusual Release Timing
It's relatively rare these days for Windows vulnerabilities to be publicly released before Microsoft has issued a patch. Microsoft, as well as many other companies, offer bug bounties, or rewards, for information on software flaws.
But publicly disclosing the flaw usually disqualifies someone from earning a bug bounty. According to Microsoft's rules, detailed proof-of-concept code - such as the kind that SandboxEscaper posted - must be withheld until 30 days after Microsoft issues a patch.
On Aug. 25, SandboxEscaper tweeted a link to a video showing what happens when the flaw is exploited and said that Microsoft plans to patch it next month.
It's possible that the publication of the video may have violated Microsoft's terms and conditions for bug rewards. The video was published on May 7.
Microsoft officials couldn't immediately be reach for comment, but the company tells the Register that it plans to issue an advisory to users about the problem shortly.
On Wednesday, however, SandboxEscaper said via Twitter: "I screwed up, not MSFT (they are actually a cool company)."
System-Level Access
SandboxEscaper has also posted proof-of-concept exploit code on GitHub. The vulnerability allows for local privileges to be escalated to system level due to a flaw within the Advanced Local Procedure Call, or ALPC, interface of the Windows task scheduler.
"The flaw is that the Task Scheduler API function SchRpcSetSecurity fails to check permissions," Beaumont writes in his blog post. "So anybody - even a guest - can call it and set file permissions on anything locally."
Someone using the vulnerability could be detected using Sysmon, one of Microsoft's monitoring and logging tools," he writes.
"If you use Microsoft Sysmon, look for spoolsv.exe spawning abnormal processes - it's a sure sign this exploit is being used (or another Spooler exploit)," Beaumont writes. "Similarly if you use Sysmon, look for connhost.exe (Task Scheduler) spawning under abnormal processes (e.g. the Print Spooler)."
CERT/CC at Carnegie Mellon University has issued a security advisory about the flaw. It says the exploit code works on 64-bit Windows 10 and Windows Server 2016 machines, according to Will Dormann, a vulnerability analyst with CERT/CC.
Dormann later wrote on Twitter that he "can confirm that with minor tweaks the public exploit code for the Windows Task Manager ALPC [vulnerability] works on 32-bit Windows 10 as well."
Dormann also wrote that disabling the Task Scheduler appears to block the exploit. But he cautioned that the approach requires system privileges and has the nasty side effect disabling Windows Update, Microsoft's patching tool.
"Not sure I can in good faith recommend," Dormann writes.
Several similar vulnerabilities have been found in the Windows Task Scheduler since 2004, says Allan Liska, a solutions architect with Recorded Future.
One potential way to mitigate the flaw would be to not let untrusted users run code, Liska says. But if an attacker gets access with user-level privileges, such as by using a browser remote code execution exploit, the mitigation won't work.
In the meantime, admins should look for malicious activity in the Task Scheduler and monitor the print spooler service (spoolsv.eve) for unusual processes. But Liska warns that minor tweaks to the proof-of-concept code could result in other services being called too.
Praise From Peers
It's unclear why SandboxEscaper opted to publicly publish the proof-of-concept code. Efforts to reach her were not successful.
On Aug. 27, a day before she posted the proof-of-concept code on Github, she wrote on Twitter: "I don't think a job in vuln research is going to happen for me anymore *packs her backpack and wanders off*."
I don't think a job in vuln research is going to happen for me anymore *packs her backpack and wanders off*
— SandboxEscaper (@SandboxEscaper) August 27, 2018
But her vulnerability discovery has drawn substantial attention and compliments for technical acumen, including from the cybersecurity training company Hacker House.
"Hi would you be interested in talking with us @myhackerhouse? Where are you based?" said security researcher @hackerfantastic, aka Matthew Hickey, who's one of the firm's founders.
Many other people tweeted messages of support to SandboxEscaper, whose tweets from earlier this year pointed to personal issues related to social isolation and being transgender.