In the Spotlight This Week
During the first half of this week, exploit developer SandboxEscaper dropped proof-of-concepts (PoCs) for five different Microsoft vulnerabilities. PoC #1: Local privilege escalation flaw in Windows 10 Task Scheduler
This vulnerability depends on the presence of .JOB files from Windows XP version of Task Scheduler. The .JOB files can be imported into newer versions of Windows; at which time they are given arbitrary DACL (discretionary access control list) control rights. However, if the file lacks a DACL, any user gains full access to the file. PoC #2: Sandbox escape flaw in Internet Explorer 11
Dubbed AngryPolarBearBug2, this local privilege escalation vulnerability is quite hard to duplicate. SandboxEscaper used vulnerability CVE-2019-0863 (patched earlier this month) to exploit a race condition between two function calls in order to create a hardlink with elevated permission to any file the attacker chooses. PoC #4: Local privilege escalation vulnerability, CVE-2019-0841 Bypass
Earlier this month, Microsoft patched CVE-2019-0841, a Windows Elevations of Privilege Vulnerability. ShadowEscaper discovered an exploit that bypasses the recent patch and allows attackers to write the DACL, which controls who is allowed to access a securable object. PoC #5: Local privilege escalation vulnerability, InstallerBypass
For this hard to reproduce exploit, Sandbox escaper illustrates that the vulnerability could be used to run escalated privileges after dropping binaries into the system 32 Windows folder. As SandboxEscaper says, it "Could be used with malware, you could programmatically trigger the rollback. Maybe you can even pass the silent flag to hide installer UI and find another way to trigger rollback (i.e through installer api, injecting into medium IL msiexec etc)."
For more information on all these exploits (including PoC videos), see the following: New Zero-Day Exploit for Bug in Windows 10 Task Scheduler PoC Exploits Released for Two More Windows Vulnerabilities Two More Windows 10 Zero-Day PoC Exploits Released, Brings Total to 4