Researcher releases Windows 10 privilege escalation zero-day

May 22, 2019 | 11:12

Tags: #0day #exploit #insecurity #local-privilege-escalation #lpe #polar-bear-lpe #sandboxescaper #security #vulnerability #windows-10 #windows-task-scheduler

Companies: #microsoft

A pseudonymous security researcher has released a Windows 10 zero-day exploit for local privilege escalation (LPE), and claims to have another four as-yet unpatched exploits waiting in the wings.

So-called 'zero-day' exploits are serious stuff in the security world, representing a way of attacking a previously-unknown vulnerability before the vendor can release a patch or workaround. The majority of security researchers work to avoid the release of zero-day exploits by notifying vendors of security flaws privately and allowing them time to fix the vulnerabilities before making any public announcements; a minority, however, simply throw the vulnerabilities out into the world.

A pseudonymous researcher calling himself 'SandboxEscaper' falls into the latter category, and was spotted by Security Week releasing a zero-day exploit for a previously-unknown local privilege escalation vulnerability in Microsoft's Windows 10 operating system to GitHub. Exploiting a flaw in the Windows Task Scheduler, the 'Polar Bear LPE' attack causes arbitrary code to be executed under the highest 'system' privilege level. While it can't be used to directly attack a system, it can - as with any privilege escalation exploit - be used to turn an otherwise minor attack using a code execution vulnerability into a complete take-over of the system.

In the researcher's blog, 'SandboxEscaper' claims to have a further '4 more unpatched bugs where that one came from: 3 LPEs (all gaining code exec[ution] as system, not lame delete bugs or whatever), and one sandbox escape'. In earlier posts, the researcher also expresses anti-Western sentiments and offers to sell Windows local privilege escalation exploits to 'non-western people' for not less than '60k' - and while no currency is mentioned, earlier posts talk about hiking the Pennine Way and fording a river in Scotland. 'I don't owe society a single thing,' the researcher writes. 'Just want to get rich and give you fucktards in the west the middlefinger [sic].'

The exploit has been confirmed as functional against a fully-patched Windows 10 installation by CERT vulnerability analyst Will Dormann via Twitter. Thus far, Microsoft has not commented on the vulnerability nor offered a timescale for a patch.

UPDATE 20190523:

True to their word, 'SandboxEscaper' has released additional zero-day exploits confirmed as affecting fully up-to-date Windows 10 installations. 'There's two more bugs on github,' they write of the releases. 'Fuck this shitty industry. I don't plan to make a career in it anyway. I hate all the people involved in this industry. Everyone just thinks they know better. Everyone just loves pointing fingers. Bunch of apes.' Microsoft has still not issued comment on the vulnerabilities targeted.

Discuss this in the forums
Mod of the Month May 2019 in Association with Corsair

June 13 2019 | 09:59