SandboxEscaper disclosed 3 Microsoft zero-day flaws in 24 hours

Yesterday SandboxEscaper publicly disclosed a Windows zero-day vulnerability, now she disclosed other two unknown issues in less than 24 hours.

Just Yesterday, the popular developer SandboxEscaper publicly disclosed a Windows zero-day vulnerability in the Task Manager, now in less than 24 hours the revealed two more unpatched Microsoft zero-day flaws.

The two new zero-day issues affect the Microsoft Windows Error Reporting service and the Internet Explorer 11.

The new disclosure is not surprising and previously announced by SandboxEscaper. Yesterday SandboxEscaper announced at least another four Windows zero-day vulnerabilities, Three local privilege escalation (LPE) issues leading to code execution and a sandbox escape.

SandboxEscaoer initially thought to sell the exploits for the above issue to non-western buyers and asks the Local Privilege Escalation bugs for at least 60,000 each.

One of the Microsoft zero-day vulnerabilities disclosed in these hours affects the Windows Error Reporting service, it could be exploited using a discretionary access control list (DACL) operation. A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object.

An attacker could exploit the flaw to delete or edit any Windows file, including system executables.

The issue was dubbed AngryPolarBearBug2 by SandboxEscaper because is linked to another Windows Error Reporting service flaw she found in 2018 and that she called AngryPolarBearBug. The AngryPolarBearBug could be exploited by a local, unprivileged attacker to overwrite any chosen file on the system.

SandboxEscaper explained that the Windows zero-day is hard to exploit.

“It can take upwards of 15 minutes for the bug to trigger. If it takes too long, closing the program, cleaning out the reportarchive folder in programdata (it may mess up the timing if there’s too many reports in there as result of running our poc for too long), deleting the c:\blah folder.. etc.. might help.” wrote the expert.

“I guess a more determined attacker might be able to make it more reliable. It is just an insanely small window in which we can win our race, I wasn’t even sure if I could ever exploit it at all. “

“I don’t see a way to use OPLOCKS to reliably win the race.. and while I can make it work fairly reliable in my VM, I need to use a “rand()” function to bruteforce a delay needed to hit the correct timing.. because this timing will vary wildly from hardware setup to setup.”

The second Microsoft zero-day flaw disclosed by SandboxEscaper affects Microsoft’s web browser, Internet Explorer 11 (IE11).

The expert did not share technical details on the issue but published a video PoC that shows the vulnerability could be exploited by tricking the victim’s browser into handling a maliciously crafted DLL file. Below the link to the video.

https://github.com/SandboxEscaper/polarbearrepo/raw/master/sandboxescape/demo.mp4

The zero-day could be exploited by an attacker to bypass IE Protected Mode sandbox and execute arbitrary code with Medium integrity permissions.

Since August, SandboxEscaper has publicly dropped exploits for two Windows zero-day vulnerabilities forcing Microsoft to quickly address them to avoid its users being targeted by hackers.

In October, SandboxEscaper released the proof-of-concept exploit code for Microsoft Data Sharing that allowed a low privileged user to delete critical system files from Windows systems.

In December, she published a proof-of-concept (PoC) code for a new Windows zero-day, it is the fourth she released this year.

Stay tuned …

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Windows zero-day, SandboxEscaper)

[adrotate banner=”5″]

[adrotate banner=”13″]