A security researcher with Twitter, aka SandboxEscaper, released today Proof of Concept (PoC) exploits a new zero-day vulnerability affecting the Windows operating system of Microsoft.
SandboxEscaper is the same researcher who previously dropped exploits for two Windows zero-day vulnerabilities, leaving hackers vulnerable to all Windows users until they were patched by Microsoft.
The newly disclosed unpatched Windows zero-day vulnerability is an arbitrary file read problem that could allow a low-privileged user or malicious program to read the content of any file on a targeted Windows computer that would otherwise only be possible through the privileges of the administrator.
https://t.co/yHxeJRyQrC New 0day. My github got taken down. And screw it, I’m not going to get anything for this bug anymore. So you can all go fuck yourselves. Bye, happy holidays.
— SandboxEscaper (@Evil_Polar_Bear) December 20, 2018
The zero-day vulnerability lies in the ” MsiAdvertiseProduct ” function of Windows, which generates ” an advertisement script or advertises a product to the computer and allows the installer to write to a script the registry and shortcut information used to assign or publish a product.
“This is still bad news even without an enumeration vector, because many document, software, such as office, will actually keep files in static locations containing the full path and file names of recently opened documents,” the researcher said. ” So you can get filenames of documents created by other users by reading files like this.
The file system is a spider web and references can be found everywhere to user – created files. Apart from sharing video demonstration of the vulnerability, SandboxEscaper also posted a link to a Github page hosting its proof-of-concept (PoC) exploit for the third Windows zero-day vulnerability, but the GitHub account of the researcher has since been removed.
This is the third time that SandboxEscaper has released a Windows zero-day vulnerability in the last few months. In October, SandboxEscaper released a PoC exploit for Microsoft Data Sharing privilege escalation vulnerability that enabled a low-privileged user to remove critical system files from a targeted Windows system.
At the end of August, the researcher disclosed details and PoC exploited a local privilege escalation problem in Microsoft Windows Task Scheduler due to errors in the handling of the Advanced Local Procedure Call (ALPC). Shortly after the release of the PoC, the vulnerability of that day was actively exploited in the wild before Microsoft addressed it in the Security Patch Tuesday updates in September 2018.