A security researcher with Twitter alias SandboxEscaper—who two months ago publicly dropped a zero-day exploit for Microsoft Windows Task Scheduler—has yesterday released another proof-of-concept exploit for a new Windows zero-day vulnerability.SandboxEscaper posted a link to a Github page hosting a proof-of-concept (PoC) exploit for the vulnerability that appears to be a privilege escalation flaw residing in Microsoft Data Sharing (dssvc.dll).
The Data Sharing Service is a local service that runs as LocalSystem account with extensive privileges and provides data brokering between applications.
The flaw could allow a low-privileged attacker to elevate their privileges on a target system, though the PoC exploit code (deletebug.exe) released by the researcher only allows a low privileged user to delete critical system files—that otherwise would only be possible via admin level privileges.
“Not the same bug I posted a while back, this doesn’t write garbage to files but actually deletes them.. meaning you can delete application dll’s and hope they go look for them in user write-able locations. Or delete stuff used by system services c:windowstemp and hijack them,” the researcher wrote.
Since the Microsoft Data Sharing service was introduced in Windows 10 and recent versions of Windows server editions, the vulnerability does not affect older versions of Windows operating systems including 7 or 8.1.The PoC exploit has successfully been tested against “fully-patched Windows 10 system” with the latest October 2018 security updates, Server 2016 and Server 2019, but we do not recommend you to run the PoC, as it could crash your operating system.
This is the second time in less than two months SandboxEscaper has leaked a Windows zero-day vulnerability.
In late August, the researcher exposed details and PoC exploit for a local privilege escalation vulnerability in Microsoft Windows Task Scheduler occurred due to errors in the handling of the Advanced Local Procedure Call (ALPC) service.
Shortly after the PoC released for the previous Windows zero-day flaw, the exploit was found actively being exploited in the wild, before Microsoft addressed the issue in the September 2018 Security Patch Tuesday Updates.
SandboxEscaper’s irresponsible disclosure once again has left all Windows users vulnerable to the hackers until the next month’s security Patch Tuesday, which is scheduled for November 13, 2018.