[ad_1]
https://t.co/1Of8EsOW8z Here is a bug of mediocre quality that is hard to exploit .. still without fix. I ended up with all that anyway. It's probably going to be a problem because of bankruptcy now … but it does not matter.
– SandboxEscaper (@SandboxEscaper) October 23, 2018
SandboxEscaper, a researcher who, in August, tweeted a Windows privilege escalation bug, published another Windows flaw uncorrected on Twitter.
The new bug has some similarities to the previous bug. Windows services generally work with elevated privileges. Sometimes they perform actions on behalf of a user and to do this they use a feature called ID borrowing. These services act as if they were using a privilege set of a particular user. Once this action is over, they find their normal privileged identity.
This bug and the previous SandboxEscaper bug both depend on improper use of ID borrowing – in particular, the services in question elevated privileges then they should have been imitated. The last bug allowed one file to be written on top of another. In this case, there is a call to delete a file whose identity is incorrect, finally giving the possibility to an ordinary unprivileged user to delete any file from the system. even those to whom he should not have access.
The new bug seems to have an important temporal aspect; two actions must take place simultaneously for impersonation to end prematurely. SandboxEscaper explains that because of this, running on a single machine seems unlikely, but multicore machines are vulnerable. The SandboxEscaper proof of concept, published on GitHub, will attempt to remove the Windows PCI driver. As such, we do not recommend running it on a system that is important to you because it will not be able to start once this file is deleted.
The data sharing service was introduced only with Windows 10; therefore, the bug only affects Windows 10, Windows Server 2016, and Windows Server 2019.
The previous bug was then used by malicious groups in their malicious programs. The new bug will be harder to exploit this way, as the ability to delete files is less useful than overwriting files.
[ad_2]
Source link
