Windows 10 bug could allow files to be overwritten, researcher shows
A security researcher has released proof-of-concept code for a zero-day exploit in Windows 10. The bug was revealed by SandboxEscaper, a researcher who has exposed Windows vulnerabilities in the past.
The latest bug makes it possible to overwrite files with arbitrary data, and while there are numerous criteria that must be met in order for the vulnerability to be exploited, it is still potentially serious. SandboxEscaper warned Microsoft about the problem on Christmas day, before publishing the PoC a couple of days later.
- Microsoft issues emergency patch to fix serious Internet Explorer zero-day vulnerability
- Microsoft announces Windows Sandbox, a desktop environment for running applications in isolation
- Europe to fund bug bounties for 15 open source programs, including VLC, Drupal and Notepad++
The proof-of-concept showed that it is possible to overwrite the file pci.sys with data collected through Windows Error Reporting. The fact that it is possible to attack a system file such as this shows that an attacker could create a denial-of-service on a target machine from a user account without administrative privileges.
SandboxEscaper explains that the technique could be used to disable third-party antivirus software, and this would allow for further exploits to be executed. She notes that she was not able to exploit the vulnerability on machines with a single CPU core.
Will Dormann, a vulnerability analyst at CERT/CC shared his thoughts on Twitter about the discovery:
This latest 0day from SandboxEscaper requires a lot of patience to reproduce. And beyond that, it only *sometimes* overwrites the target file with data influenced by the attacker. Usually it's unrelated WER data.https://t.co/FnqMRpLy77 pic.twitter.com/jAk5hbr46a
— Will Dormann (@wdormann) December 29, 2018
In response, Mitja Kolsek from 0patch dismissed attempts to downplay the seriousness of the problem:
I haven't tried it out yet but if it's a local privilege escalation and you can check if exploit succeeded, I suppose it doesn't matter if it only works once in a hundred tries.— Mitja Kolsek (@mkolsek) December 30, 2018
SandboxEscaper's Twitter account is currently suspended, but you can find out more about the exploit over on GitHub.