Patch Tuesday is just around the corner and SandboxEscaper has continued to drop exploits one after another. A second bypass exploit, named ByeBear was brought out in the open for the already patched CVE-2019-0841. SanboxEscaper published four other zero-days including the first exploit for CVE-2019-0841.
This is an elevation of privilege vulnerability in Windows AppX Deployment Service (AppXSVC) due to improper handling of hard links. This vulnerability was reported to Microsoft by Nabeel Ahmed of Dimension Data Belgium and many others. This bug received a patch in April 2019 Microsoft Patch Tuesday Updates. However, SandboxEscaper found two methods to bypass the patch and elevate privileges. Thus, the patch had not fully fixed the issue.
The exploit was tried with Microsoft Edge but it is believed to work with other packages too. Similar to the other Local Privilege Escalation (LPE) bugs, an attacker would have to be initially logged on to the system. He can then elevate privileges from a normal user to an Administrator by running a specially crafted malicious application. According to SandboxEscaper, reproducing the exploit involves two steps:
- Launching the PoC
- Launching Edge several times
The bypass can be carried out by initially deleting the files under :
and then launching Edge several times. Edge crashes the first time but writes to the DACL files on relaunch while impersonating the “SYSTEM” account. Microsoft Edge has to be launched from the taskbar or the desktop shortcut using ‘start microsoft-edge:’ for correct impersonation. Successful exploitation gives full access to the target file. The PoC shows how the permissions are elevated for the ‘win.ini’ file.
The exploit abuses a race condition by trying to increase the thread priority on a multi-core machine. Most systems come with multiple cores of late, thus increasing the chances of exploitation.
Microsoft warned that it would be rolling out multiple updates to address the issues while SandboxEscaper claims that there is yet another zero day to be published.
- Windows 10 1809
- Windows 10 1903
- Windows Server 2019
A logged in user can gain Administrative or SYSTEM privileges on the machine. After exploitation, an attacker gains full control of a completely patched Windows machine.
While there is no workaround or remediation available currently, we’ll continue to monitor this vulnerability and update as and when a fix is available. In the meantime, our general recommendation is to educate your teams about maintaining security hygiene.