FacebookTwitterLinkedIn

SandboxEscaper Releases Several Windows Vulnerabilities

Karolis Liucveikis Written by on (updated)

Over the past couple of days, the security researcher who goes by the pseudonym SandboxEscaper has released several Microsoft Windows vulnerabilities to the public with no prior notice given to Microsoft. The researcher has developed a reputation amongst the InfoSec community for releasing vulnerabilities to the public, in particular, Windows vulnerabilities, without informing the software producer or giving prior notice as is seen as a good practice amongst researchers.

The first of the flaws published on May 22, can be classified as a local privilege escalation (LPE) zero-day. LPE can be seen as exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. It is important to note that when exploited such flaws cannot be used to break into a system. Rather hackers can use them at later stages in their attacks to elevate their access on compromised hosts from low-privileged to admin-level accounts. In this instance, the flaw resides in the Windows Task Scheduler process. In order to exploit it the attacker would need to run .job file which has been malformed to change the discretionary access control list (DACL), this is the system which limits who has access to a file, in the Task Scheduler. If correctly done the attacker can raise their privileges on the system from a low level to that of an admin. Once this is done the attacker would be granted access to the entire system.

The second zero-day is a vulnerability in the Windows Error Reporting service that SandboxEscaper said it can be exploited via a carefully placed DACL. SandboxEscaper was named the vulnerability “AngryPolarBearBug2” after a similar zero-day she discovered in the same Windows Error Reporting service last December, and named “AngryPolarBearBug.” This bug can take up to 15 minutes to exploit correctly, meaning that it might not appeal to hackers to use when simpler easier options are available to exploit.

sandboxescaper releases windows vulnerabilities

Again, like the first, this flaw can be classified as an LPE as if correctly exploited the attacker access to files, including the ability to edit them, they would not normally have. The third zero-day published impacts Internet Explorer 11. This vulnerability could allow attackers to inject malicious code in Internet Explorer. According to ZDNet this zero-day is not remotely exploitable, but can only be used to neuter security protections in IE for subsequent attacks, and should be considered a low-impact issue.

Previously Published Flaws and their Impact

In 2018 SandboxEscaper released four flaws to the public one of which was seen being exploited in the wild two days after publishing her findings. That flaw affects the Advanced Local Procedure Call (ALPC) interface of the Windows Task Scheduler. Malicious actors with local access to the targeted device can exploit the flaw to escalate privileges to the targeted system by overwriting files that should normally be protected by filesystem access control lists. These control lists can be seen as the file system which specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. For example, the file system would work similar to this, if a file object has an ACL that contains (Alice: read, write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it. Like the above two LPEs, this flaw would also allow an attacker raised privileges to access and edit files only a system admin would have access to. Researchers at ESET discovered that this vulnerability was being exploited by the threat group PowerPool, shortly after SandboxEscaper published her findings. The discovered flaw was leveraged in attacks against users in the United States, the United Kingdom, Germany, Ukraine, Chile, India, Russia, the Philippines, and Poland in what seems to be highly targeted attacks. The attack was not sophisticated according to researchers at ESET, however, they did conclude that,

“This specific campaign targets a limited number of users, but don’t be fooled by that: it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available,”

This case clearly showed the dangers of releasing flaws to the public without following best practices. By publically releasing the flaws Windows users are placed at risk. One of the reasons there is a co-ordinated vulnerability disclosure procedure exists is to prevent his scenarios from happening and help mitigate the risk to users by hackers and other threat groups. Normally, companies are informed first of the vulnerability and given a period of time to develop and release a patch. If the company ignores the flaw or misses the deadline then researchers can go to the public with their findings. SandboxEscaper has earned a reputation of going straight to the public rather than following best practices followed by much of the community. What’s more, is that according to her blog she has uncovered two more Windows vulnerabilities and will probably release those to the public as was done before. Microsoft has been quick to release patches for the publically disclosed flaws in the past and it is foreseeable that these flaws will receive a patch next patch Tuesday, scheduled for June 11. It can only be hoped that they are not serious and of relatively low impact as not to draw hackers and other threat groups’ attention.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog