Security researcher auctions off Windows 10 zero-day exploits

The prolific bug hunter says she only wants to sell to non-western buyers

Three zero-day exploits in Microsoft services and products have been published in as many days this week by a security researcher known for uncovering and distributing Windows vulnerabilities to hacking communities.

The researcher, with the online alias of SandboxEscaper, began her 10-month siege on Microsoft's security in August 2018, uncovering three new elevated privilege bugs this week in addition to four other zero-days published last summer.

Mostly relating to local privilege escalation (LPE) exploits, SandboxEscaper has said she wants to sell the exploits to non-western buyers and "won't sell for less than 60k" for each bug, according to a post on Github.

The first exploit was released on Monday, accompanied by a video showing code exploiting a vulnerability in the Task Scheduler in Windows 10, allowing attackers to read and write files as an admin could.

The bug is exploitable on Windows 10 x86, x64 and x32 machines, as well as Windows Server 2016 and 2019. Windows 7 and 8, as of now, seem unaffected. A video proving the effectiveness can be found on the researcher's GitHub repository.

"Local privilege vulnerabilities are pretty common on Windows, and far less concerning than a remote code execution vulnerability like the RDP bug that hit the headlines recently," said Gavin Millard, VP of intelligence at Tenable, referring to the BlueKeep vulnerability, a remote execution exploit that granted hackers the highest possible privileges on Windows operating systems.

"But, due to the researcher being motivated by cash flow rather than altruism, the main concern is the exploit being available without a fix. To exploit, the attack has to have valid credentials on the target which is non-trivial on a well maintained and secure system, but with the continued popularity of a single password rather than having credentials per service, it could be leveraged in a more targeted attack."

At the time of the release, the researcher said she had three more vulnerabilities to publish: two more LPEs and a sandbox escaper. She published the remaining LPEs later on Wednesday.

The latest bugs, number 6 and 7 of the 7 total exploits found since August 2018, were found in the Windows Error Reporting service and Internet Explorer 11 (IE11) respectively.

The vulnerability in the Windows Error Reporting service bears a strong resemblance to an earlier bug of SandboxEscaper's found in December, but it less easy to exploit.

Named 'AngryPolarBearBug2', it's another LPE issue that could allow an attacker to read and write files they wouldn't normally have access to. To work, an attacker must carefully implement a DACL (discretionary access control list) operation in the Windows service, but the researcher says "it's not that much of an issue" as it takes a fairly long time to trigger, upwards fo 15 minutes to be exact.

The IE11 vulnerability is also considered a low-impact issue and the researcher only gives a brief three-line summary of the zero-day. Attackers are able to inject malicious code into the browser but it isn't remotely exploitable and can only be used to weaken the browser's security protections ahead of subsequent attacks.

"The biggest risk that I see from this vulnerability is that of insider threat," said Craig Young, principal security researcher at Tripwire. "For example, employees typically do not have administrative rights on their workstations as this might allow them to install unauthorized software or remove critical security controls.

"These users of course know their own password and so can trivially exploit this flaw. Bad practices like password reuse or falling for social engineering tactics like phishing could also allow an attacker to exploit this, but only if they have a way to get an interactive login on the system," he added.

The vulnerabilities are released shortly after the Windows 10 May 2019 update that wasn't without its own errors. The update itself was blocked for users if they had an external USB storage device or SD card connected and could also affect internal hard drives too.

"Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible," said a Microsoft spokesperson to IT Pro. "We urge finders to practice coordinated vulnerability disclosure to reduce the potential risk to customers."

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

Cyber attacks on manufacturing up 300% in a year
Security

Cyber attacks on manufacturing up 300% in a year

11 May 2021
US fuel pipeline hackers reveal their motive
ransomware

US fuel pipeline hackers reveal their motive

11 May 2021
Trend Micro and Snyk team up to combat open source flaws
vulnerability

Trend Micro and Snyk team up to combat open source flaws

10 May 2021
Virtual desktops and apps for dummies
Whitepaper

Virtual desktops and apps for dummies

10 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021