Windows 10 Sandbox activation enables zero-day vulnerability

[silversurfer]

A reverse engineer discovered a new zero-day vulnerability in most Windows 10 editions, which allows creating files in restricted areas of the operating system. Exploiting the flaw is trivial and attackers can use it to further their attack after initial infection of the target host, albeit it works only on machines with Hyper-V feature enabled.

Reverse engineer Jonas Lykkegaard posted last week a tweet showing how an unprivileged user can create an arbitrary file in ‘system32,’ a restricted folder holding vital files for Windows operating system and installed software. However, this works only if Hyper-V is already active, something that limits the range of targets since the option is disabled by default and is present in Windows 10 Pro, Enterprise, and Education.

CERT/CC vulnerability analyst Will Dormann confirmed that the vulnerability exists and that exploiting it requires literally no effort from an attacker on the host. The researcher told BleepingComputer that the vulnerable component is ‘storvsp.sys’ (Storage VSP - Virtualization Service Provider), a server-side Hyper-V component.

 

[SecurityNightmares]

Isn't Hyper-V also used for Application Guard?

 

[oldschool]

Isn't Hyper-V also used for Application Guard?

Yes.

 

[Andy Ful]

Works on my computer. The bypass uses "\Device\STORVSP\vSMB\??\" so I will test it tomorrow with disabled SMB protocols.

Edit.
This bypass works on my machine also with disabled SMB protocols.

 

[lykk]

yarh- the vsmb referred in the path is the smbcousion protocol used between hyper-vhost and inside guestvm
By opening the path .like that it is equilant to opening through \device\mup\;lanmanredirector\localhost\c$ for normal smb- but normal mup device impersonates and forces accesscheck.

 

[v3n00m]

Works on my computer. The bypass uses "\Device\STORVSP\vSMB\??\" so I will test it tomorrow with disabled SMB protocols.

Edit.
This bypass works on my machine also with disabled SMB protocols.

that is very intrested also is it the smb protocols was disabled ?

 

[Soulbound]

Just to remind that potential drama posts will be removed and appropriate actions taken. please keep it civilized.

Affected posts have been removed.

 

[Andy Ful]

Some interesting articles about Hyper-V architecture & vulnerabilities:

https://i.blackhat.com/us-18/Wed-August-8/us-18-Joly-Bialek-A-Dive-in-to-Hyper-V-Architecture-and-Vulnerabilities.pdf

https://i.blackhat.com/us-18/Thu-August-9/us-18-Rabet-Hardening-Hyper-V-Through-Offensive-Security-Research.pdf

and more:

First Steps in Hyper-V Research – Microsoft Security Response Center

msrc-blog.microsoft.com

 

[Andy Ful]

that is very intrested also is it the smb protocols was disabled ?

Yes. As @lyyk noticed, the bypass is not related to the host SMB protocols.

 

[Andy Ful]

In such a complex system as Windows 10, there are many uncovered vulnerabilities, and others are added in each Windows update. Of course, the updates are important, because they remove the already known vulnerabilities. The only sensible way to improve the consumers' security on Windows 10 (against uncovered vulnerabilities) is finding new vulnerabilities via the Bug Bounty Reward program. So, the researchers and hackers are still paid (by Microsoft) but cybercriminals cannot use these vulnerabilities before the patch is found (usually).

 

[SecurityNightmares]

via the Bug Bounty Reward program

But the hacker say that the bounty is too little. That's the reason for this public report.

 

[Andy Ful]

But the hacker say that the bounty is too little. That's the reason for this public report.

We do not know for sure when he discovered this vulnerability and how long MS knows about it. Because it is related mainly to enterprises and allows privilege escalation (writing to system trusted locations), the patch will be pushed quickly. So, home users can happily forget about it.

Post edited.

 

[upnorth]

this vulnerability and how long MS knows about it. Because it is related mainly to enterprises and allows privilege escalation, the patch will be pushed quickly.

I haven't fully checked myself, but have Microsoft actually officially acknowledge this as a vulnerability and also stated a patch is on it's way?

 

[Andy Ful]

I haven't fully checked myself, but have Microsoft actually officially acknowledge this as a vulnerability and also stated a patch is on it's way?

I have not seen any MS statements about it.