Windows ‘Deletebug’ Zero-Day Allows Privilege Escalation, Destruction

[steven36]

The unpatched flaw allows an attacker to delete any kind of file on a victim machine, including system data.

 

 

A proof-of-concept exploit for a Windows zero-day that works on full patched Windows 10 machines has been released by a security researcher. It allows an attacker to delete any kind of file on a victim machine, including system data.

 

The flaw (no CVE has been assigned since it was just exposed on Wednesday) is an elevation-of-privilege zero-day vulnerability in Microsoft’s Data Sharing Service (dssvc.dll). This is a local service that runs as a LocalSystem account with extensive privileges, and enables data to be brokered between applications.

 

According to SandboxEscaper, who released the PoC, the bug allows an adversary to delete application libraries (DLL files) – which means that the affected applications will then go look for their libraries elsewhere. If an application finds its way to a user-writeable location, it gives an attacker an opportunity to upload his or her own malicious library, resulting in machine compromise.

 

“This could be exploited to facilitate lateral movement within an organization or even potentially destructive purposes – such as deletion of key system files, rendering a system inoperable,” Tom Parsons, head of research at Tenable, said in an emailed breakdown.

 

To the latter point, in the POC, a program that SandboxEscaper dubbed “Deletebug.exe” deletes a system file – pci.sys – on the target computer, which means a user can no longer restart it. The machine is rendered unbootable.

 

Will Dormann, vulnerability analyst at CERT/CC, and 0patch’s Mitja Kolsec both confirmed the vulnerability and were able to exploit it on fully patched and updated Windows 10 machines. Via Twitter, Dormann added that Data Sharing Service does not seem to be present on Windows 8.1 and earlier systems.

 

Researcher Kevin Beaumont confirmed the exploit as working on “Windows 10 and Server 2016 (and 2019) only.” He added that it “allows non-admins to delete any file by abusing a new Windows service not checking permissions again.”

 

“It reportedly affects the very latest versions of Microsoft operating systems and not older ones, so users may have wrongly assumed they were more secure,” said Parsons. “In addition, given that it affects both server and client operating systems, and with Windows 10 the second-most prevalent MS desktop/client OS after Windows 7, will also make this attractive to attackers.”

 

However, don’t expect a raft of attacks incorporating the exploit just quite yet: SandboxEscaper describes the bug as “low-quality” and a “pain to exploit.”

 

Quote

 

https://t.co/1Of8EsOW8z Here's a low quality bug that is a pain to exploit.. still unpatched. I'm done with all this anyway. Probably going to get into problems because of being broke now.. but whatever.

— SandboxEscaper (@SandboxEscaper) October 23, 2018

 

 

Tenable’s Parsons elaborated: “To put the threat into perspective, an attacker would already need access to the system or to combine it with a remote exploit to leverage the vulnerability,” he said.

Beaumont also weighed in on the exploitability, noting that meaningful exploitation would take some doing:

 

Quote

 

It’s a cool find again. I think it would be fairly difficult to exploit in a meaningful way, you could possibly do it against some OEM drivers (eg graphics card update process) but I can’t imagine practical.

— Kevin Beaumont (@GossiTheDog) October 23, 2018

 

 

While Microsoft has not yet commented on the bug, 0Patch has released a micropatch for the flaw, which it said “successfully blocks the exploit by adding impersonation to the DeleteFileW call… the Delete operation now gets an “ACCESS DENIED” due to impersonation.”

Quote

7 hours after the 0day in Microsoft Data Sharing Service was dropped, we have a micropatch candidate that successfully blocks the exploit by adding impersonation to the DeleteFileW call. As you can see, the Delete operation now gets an "ACCESS DENIED" due to impersonation. pic.twitter.com/qoQgMqtTas

— 0patch (@0patch) October 23, 2018

 

 

If SandboxEscaper sounds familiar, it’s because the bug-hunter also disclosed a zero-day in August that made waves, in Windows Task Scheduler. Microsoft patched it in September’s Patch Tuesday.

Source

[K7108]

lmao @win10 ...what a piece of work  crap

 

[Karlston]

7 hours after Microsoft inflicted it on users, a third-party has a patch for it.

 

Meanwhile over in Microsoft cloud-cuckoo land, there's not even an acknowledgement of the security flaw.

 

All together now for the Microsoft Windows 10 song... a 1 an' a 2 an' a 3... Windows 10 is the most secure version of Windows ever...

[straycat19]

People are having a hard time saying anything nice about Microsoft or Windows, but I finally found something nice to say.  It is nice you can install Linux in the place of Windows without harming your hardware.