Zero day exploit in windows 10 1903

[LukeSavenije]

Source: Tweakers (Dutch), Twitter (proof of concept), National Cyber Security Centre/NCSC (Dutch)

An anonymous hacker has put a zero day exploit for Windows online. With the vulnerability, an attacker could gain admin access to Windows. The exploit was put online immediately without any notification to Microsoft. Therefore, a patch is not availible at the time of writing.

 

Quote

The vulnerability was posted on GitHub. This is a local privilege escalation. It is not easy to break into a system, but an attacker can increase the user rights of an account to the admin level.

The vulnerability is in Windows Task Scheduler. An attacker could exploit an error in the way the Task Scheduler grants discretionary access control permissions to a file. By doing that, the permissions of file can be changed from a user level to that of an admin. The hacker has published a proof-of-concept in which the leak is exploited. That proof-of-concept only concerns 32-bit versions of Windows 10, but the discoverer says that with some adjustments it is easy to also use it on other versions of the operating system.

The vulnerability was discovered by an anonymous hacker named SandboxEscaper. It is not the first time that he has put a zero day for Windows online. Last year, the hacker already published four other leaks using local privilege escalation. The hacker did not report the vulnerability to Microsoft, which is common in such cases. The hacker sometimes blogs about the leaks. In it she says she wants to sell LPEs to 'non-Western people'. "I owe nothing to society, I just want to get rich and show everyone in the West my middle finger," he says.

Microsoft has not yet responded to the news. The leak was published two days after the last Patch Tuesday. The next patch day is scheduled for June 11, but perhaps Microsoft will come up with a solution earlier. The National Cyber Security Center is now also warning of the leak and the fact that no solution is yet available.

Quote

----- BEGIN PGP SIGNED MESSAGE -----
Hash: SHA512

   ######################################################### ###
  ## N C S C ~ S E C U R I T Y A D V I C E ##
 ######################################################### ###

Title: Vulnerability found in Windows 10
Advisory ID: NCSC-2019-0406
Version: 1.00
Chance: high
CPU ID:
                  (Details about the vulnerabilities can be found at
                   the Miter website: http://cve.mitre.org/cve/)
Damage: medium
                  Increased user rights
Date of issue: 20190522
Application:
Version (s):
Platform (s): Microsoft Windows 10

Description
   Security researcher 'SandboxEscaper' has a vulnerability
   Windows 10 published with no responsible disclosure process
   followed with Microsoft. The vulnerability suggests a local
   authenticated malicious, by abusing the
   task scheduler, obtain SYSTEM rights. The malicious must
   have a valid user,
   password combination of a user running on the system
   has user rights. This will create a task later
   increased rights.

   The security investigator has an mp4 file, among other things
   published in which a Proof-of-Concept of the
   zero-day vulnerability is displayed. The proper functioning of the
   Proof-of-Concept code has been determined by the NCSC and the
   vulnerability applies to both 32- and 64-bit Windows.

Possible solutions
   No solution or mitigation is known for the time being.

Disclaimer
   By using this security advisory you agree to the
   following conditions. Despite the fact that the NCSC is the largest possible
   has taken care in compiling this security advice,
   the NCSC cannot guarantee completeness, accuracy or
   (continuous) topicality of this security advice. The information
   this security advice is intended solely as a general one
   information for professional parties. To the information in this
   no security rights can be derived. The NCSC
   and the State are not liable for any damage as a result
   of the use or impossibility of using this
   security advice, including damage as a result of the
   inaccuracy or incompleteness of the information in this
   security advice. Dutch law applies to this security advice
   applicable. All disputes related to and / or arising
   from this security advice will be submitted to the exclusive
   competent court in The Hague. This choice of law also applies to the
   judge in interlocutory proceedings.

----- BEGIN PGP SIGNATURE -----
Version: Encryption Desktop 10.4.2 (Build 502)
Charset: UTF-8

wsDVAwUBXOVFDn + MTEyIH2VcAQrd2wv / VtoXRa + o2ZJlIxjxMFKogHg3dP6cJ8UJ
vmvH1duD7s1hDffA6PYkyUn6xyhJadBIrS3SurfDOqdNa0kwNRut2j0lm967vUIh
+ Pj6zQk1XeR1wfWpl2cfDmsf + IkqKSKZCIpaNm8s9x + PXxbUM2TrE2 + 4dQBWq2Io
IkZmowsTg6AqC2X2CvQWwflgkwrmHFbs7rWTh5pAtjk11ymeeB5 / BLkmDWOxOSu8
uQ7sh7nX6Iv7qBUqxv39Wwu2U20h2ypvfjnaVb5dJfWZMYJxmuzp494 + S77gJjbX
+ iQr3bxc9dSOM3de9MzziDrpdFdbywXft6tDtJ0KLSLqollBKfAxbTUPOd0 + R5No
44F6yYePDSEJIpBQ4EAwmUNP1nRXUNG9aMgmzXXlYVdnhqT8D / 42kiETvonEVrPO
N3JusLMuf6JGZ48NKSAeMDl0rXlEsd + 2RUfGOaGd + dLD7DxM50 / B8BnLBuI9wmFn
oelE4ZcNg93vXyQ37EBrvZiLLqQjDhXK
= jN + g
----- END PGP SIGNATURE -----

 

[WereCat]

F

I just updated to 1903 yesterday

 

EDIT:
I just remembered that I have an Intel CPU so I dont have to worry about this since I have bigger problems

[LukeSavenije]

1 minute ago, WereCat said:

F

I just updated to 1903 yesterday

i didn't yet

 

but you know windows... it'll soon be there, randomly

[Ashley MLP Fangirl]

i run Windows in a VM... if it fucks up i have a snapshot hahah. 

[mr moose]

So basically this prick thinks its a good idea to make exploits public before giving the relevant people a chance to fix them. 

[LAwLz]

Not really anonymous. It's from SandboxEscaper who has done similar things in the past. It's a very troubled individual which basically hates western counties and have several exploits up for sale, but only to "enemies of the us". 

[mr moose]

Just now, LAwLz said:

Not really anonymous. It's from SandboxEscaper who has done similar things in the past. It's a very troubled individual which basically hates western counties and have several exploits up for sale, but only to "enemies of the us". 

A genuine cyber terrorist?

[LAwLz]

1 minute ago, mr moose said:

A genuine cyber terrorist?

Kind of. A really mentally unstable one. 

They used to post a lot on Twitter but I think that has been deleted. They still maintain a blog though. You can read it here. 

https://sandboxescaper.blogspot.com/

 

The NSFW is just because of the language. Not because of any nude images or the likes. 

 

[captain_to_fire]

I wonder if Windows 10’s built in mitigations can lower chances of being exploited like enabling Force ASLR and HVCI. I’m guessing the exploit was carried out using default, out of the box settings. 

[TempestCatto]

Just like with Windows 7, I have never updated Windows 10 since I first installed it. I do have all the important shit but that's it. I disabled the Windows Update Service in services.msc as I just don't deem it important enough otherwise. A good A/V goes a long way, but common sense more so. If there's an ultra important update, I'll download it manually. Otherwise, I never have any issues what-so-ever. (wonder if it helps that I run the enterprise edition)

[Arika]

And here I am still on 1803.

[AlTech]

Wait. I'm very confused.

 

Is the hacker a man or a woman? cos there's 2 references to being a woman but then 3 references to being a man in the quoted section of the source.

[Ryujin2003]

3 minutes ago, AluminiumTech said:

Wait. I'm very confused.

 

Is the hacker a man or a woman? cos there's 2 references to being a woman but then 3 references to being a man in the quoted section of the source.

I caught that too. Either way, he/she/they/them is an asshole.

[Chunchunmaru_]

36 minutes ago, Arika S said:

And here I am still on 1803.

Yup, same

I usually try to force the upgrade by using the update assistant

[RejZoR]

I wonder how the new Core Isolation feature affects any of these exploits. It used to be unusable in 1809, but with 1903 I get same performance with or without it. But I have no clue if it gives particular benefits for any of the recently discovered stuff.

[Taf the Ghost]

If you want to make money off this stuff, sell it to the NSA. lol

[GoodBytes]

43 minutes ago, Arika S said:

And here I am still on 1803.

Contrary to the title, it affects all version of Windows 10 (and possibly earlier ones)

 

[RejZoR]

Hm, it says it affects both 32 and 64 bit...

[dfsdfgfkjsefoiqzemnd]

 

Quote

Windows 10 is the most secure version of Windows ever.

 

 

 

 

Damn, laughing too hard really hurts after a while. 

Anyway, this is bad.  Hopefully MS releases an emergency patch soon.

[LukeSavenije]

14 minutes ago, GoodBytes said:

Contrary to the title, it affects all version of Windows 10 (and possibly earlier ones)

it does? anything to show me that it does?

[AlTech]

@Silentprototipe Also omg this feels like that moment in Doomsday Act 2 Heist with Bogdan saying "American Agents, you are making a grave mistakes" lmfao

[Chunchunmaru_]

 

Quote

Windows 10 is the most secure version of Windows ever.

5 minutes ago, Captain Chaos said:

Damn, laughing so hard really hurts after a while. 

Anyway, this is bad.  Hopefully MS releases an emergency patch soon.

Well... it is compared to other versions of Windows

it's not comforting though...

[dfsdfgfkjsefoiqzemnd]

7 minutes ago, Chunchunmaru_ said:

Well... it is compared to other versions of Windows

ermm ...

 

 

See how that skyrocketed as Win10 was released?  Win10 had more vulnerabilities in 2 years than Win7 had in 5. 

 

 

And while it is getting better in recent years, it's still nowhere near good.  In fact it's still worse than 8.1 or 7.

 

 

 

[GoodBytes]

20 minutes ago, LukeSavenije said:

it does? anything to show me that it does?

The version of Windows 10 in the video is older than 1903.

And at no point it says it affects 1903 only.

 

[HarryNyquist]

Talk about a bad translation lol.

 

It looks like the malicious entity needs an account on the system (or access to one) to begin with.