Bug-hunter reveals another 'make me admin' Windows 10 zero-day – and vows: 'There's more where that came from'
Vulnerability can be exploited to turn users into system stars, no patch available yet
Updated A bug-hunter who previously disclosed Windows security flaws has publicly revealed another zero-day vulnerability in Microsoft's latest operating systems.
The discovered hole can be exploited by malware and rogue logged-in users to gain system-level privileges on Windows 10 and recent Server releases, allowing them to gain full control of the machine. No patch exists for this bug, details and exploit code for which were shared online on Tuesday for anyone to use and abuse.
The flaw was uncovered, and revealed on Microsoft-owned GitHub, funnily enough, by a pseudonymous netizen going by the handle SandboxEscaper. She has previously dropped Windows zero-days that can be exploited to delete or tamper with operating system components, elevate local privileges, and so on.
It appears the exploit code imports a legacy job file into the Windows Task Scheduler using schtasks, creating a new task, and then deletes that new task's file from the Windows folder. Next, it creates a hard filesystem link pointing from where the new task's file was created to pci.sys, one of Windows' kernel-level driver files, and then runs the same schtasks command again. This clobbers pci.sys's access permissions so that it can be modified and overwritten by the user, thus opening the door to privileged code execution.
The exploit, as implemented, needs to know a valid username and password combo on the machine to proceed, it seems. It can be tweaked and rebuilt from its source code to target other system files, other than pci.sys.
Will Dormann, a vulnerability analyst at the CERT Coordination Center, part of the US government-funded Software Engineering Institute, confirmed the exploit works against a fully patched and up-to-date version of Windows 10, 32 and 64-bit, as well as Windows Server 2016 and 2019. Windows 8 and 7 appear unaffected by the 'sploit as it currently stands.
Here's a video of the proof-of-concept attack in action:
SandboxEscaper just released this video as well as the POC for a Windows 10 priv esc pic.twitter.com/IZZzVFOBZc— Chase Dardaman (@CharlesDardaman) May 21, 2019
To be generous to Microsoft, privilege escalation flaws are a dime a dozen in Windows: the software giant patches them every month in its operating system.
And it will likely be patching more still – SandboxEscaper apparently has more zero-days up her sleeve aside from this latest vulnerability: "I have four more unpatched bugs where that one came from. Three LPEs [local privilege escalations], all gaining code exec as system, not lame delete bugs or whatever, and one sandbox escape," she boasted on Tuesday.
She's also rather peeved at the West and society in general, and hopes to sell some of her exploits to non-Western miscreants, though she did not specify a currency: "If any non-western people want to buy LPEs, let me know. (Windows LPE only, not doing any other research nor interested in doing so). Won't sell for less then 60k for an LPE. I don't owe society a single thing. Just want to get rich and give you fucktards in the West the middle finger."
The researcher earlier waxed lyrically about exploring trails in northern England while complaining that "human society deeply disgusts me."
Spokespeople for Microsoft declined to comment. ®
Updated to add
- Internet Explorer
- Microsoft 365
- Microsoft Build
- Microsoft Edge
- Microsoft Office
- Microsoft Surface
- Microsoft Teams
- Office 365
- Patch Tuesday
- SQL Server
- Visual Studio
- Visual Studio Code
- Windows 10
- Windows 11
- Windows 7
- Windows 8
- Windows Server
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2013
- Windows Server 2016
- Windows XP
- Xbox 360