A security researcher who uses the online handle SandboxEscaper has published proof-of-concept exploit code for an unpatched vulnerability in windows.
The flaw is located in the “MsiAdvertiseProduct” function, which, according to Microsoft’s documentation , enables an installer to “advertise” shortcut and registry information about a product to Windows by writing it to a script.
Recent Articles By Author
Emergency Patch for Zero-Day Vulnerability in Internet Explorer More Shamoon 3 Attacks Detected in the Middle East and Europe WordPress 5.0 Gets Security Patch a Week After Release
According to SandboxEscaper , a malicious application could trigger a race condition in this functionality, allowing it to read arbitrary files with SYSTEM privileges. For example, this can be exploited by a limited user account to read files belonging to other users that shouldn’t normally be accessible to that account.
While the vulnerability cannot be exploited by malware to gain full control of a system, it can be used to access potentially sensitive information. A potential attacker would need to know the location of the targeted files, but according to the researcher, this is not a big impediment.
“Even without an enumeration vector, this is still bad news, because a lot of document software, like Office, will actually keep files in static locations that contain the full path and filenames of recently opened documents,” the researcher said in his exploit notes. “Thus by reading files like this, you can get filenames of documents created by other users.. the filesystem is a spiderweb and references to user-created files can be found everywhere … so not having an enumeration bug is not that big of a deal.”
Researchers from ACROS Security, which runs the 0patch.com micropatching service, confirmed that the published proof-of-concept exploit works and indeed provides read access to files the initiating user shouldn’t have access to.
This is the third zero-day flaw publicly disclosed by SandboxEscaper since August.The first one, located in the Windows Task Scheduler, allowed for privilege escalation and was quickly adopted by hackers and used in real-world attacks. In October, the researcher released details about a second vulnerability in the Windows Data Sharing Service (dssvc.dll) that could be used to delete system files.
SandboxEscaper, who claims has been unemployed for years and is only doing this as a hobby, recently published a notification , supposedly received from Google, informing them that the FBI asked for information related to their Google account. GitHub suspended the researcher’s account that was used to host the previous exploits.U.S. Charges Two Alleged Members of Chinese Cyberespionage Group
The U.S. Department of Justice has charged two Chinese nationals with conspiracy to commit computer intrusions and other offenses in relation to the activity of a cyberespionage group called APT10.
APT10, also known in the security industry as Red Apollo, CVNX, Stone Panda and Potassium, has been active since at least 2006 and has targeted organizations from multiple industries, as well as government agencies from around the world. The group’s primary goal was to steal intellectual property and confidential business and technology information.
Prosecutors allege that Chinese nationals Zhu Hua and Zhang Shilong were members of APT10 between 2006 and 2018 while working for a Chinese company called Huaying Haitai Science and Technology Development Company (Huaying Haitai) and that they acted in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau.
“The APT10 Group targeted a diverse array of commercial activity, industries and technologies, including aviation, satellite and maritime technology, industrial factory automation, automotive supplies, laboratory instruments, banking and finance, telecommunications and consumer electronics, computer processor technology, information technology services, packaging, consulting, medical equipment, healthcare, biotechnology, pharmaceutical manufacturing, mining, and oil and gas exploration and production,” the DoJ said in a press release . “Among other things, Zhu and Zhang registered IT infrastructure that the APT10 Group used for its intrusions and engaged in illegal hacking operations.”
The indictment links the defendants and APT10 to computer intrusions at more than 45 technology companies and government agencies from at least a dozen U.S. states. The victim list includes NASA’s Goddard Space Center and Jet Propulsion Laboratory and the U.S. Department of Energy’s Lawrence Berkeley National Laboratory.