Windows 10 Sandbox activation enables zero-day vulnerability

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
A reverse engineer discovered a new zero-day vulnerability in most Windows 10 editions, which allows creating files in restricted areas of the operating system. Exploiting the flaw is trivial and attackers can use it to further their attack after initial infection of the target host, albeit it works only on machines with Hyper-V feature enabled.

Reverse engineer Jonas Lykkegaard posted last week a tweet showing how an unprivileged user can create an arbitrary file in ‘system32,’ a restricted folder holding vital files for Windows operating system and installed software. However, this works only if Hyper-V is already active, something that limits the range of targets since the option is disabled by default and is present in Windows 10 Pro, Enterprise, and Education.
CERT/CC vulnerability analyst Will Dormann confirmed that the vulnerability exists and that exploiting it requires literally no effort from an attacker on the host. The researcher told BleepingComputer that the vulnerable component is ‘storvsp.sys’ (Storage VSP - Virtualization Service Provider), a server-side Hyper-V component.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Works on my computer. The bypass uses "\Device\STORVSP\vSMB\??\" so I will test it tomorrow with disabled SMB protocols.

Edit.
This bypass works on my machine also with disabled SMB protocols.
 
Last edited:

lykk

New Member
Sep 7, 2020
1
yarh- the vsmb referred in the path is the smbcousion protocol used between hyper-vhost and inside guestvm
By opening the path .like that it is equilant to opening through \device\mup\;lanmanredirector\localhost\c$ for normal smb- but normal mup device impersonates and forces accesscheck.
 

g4nu5

Level 2
Verified
Dec 5, 2018
76
Works on my computer. The bypass uses "\Device\STORVSP\vSMB\??\" so I will test it tomorrow with disabled SMB protocols.

Edit.
This bypass works on my machine also with disabled SMB protocols.
that is very intrested also is it the smb protocols was disabled ?
 
Last edited:
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
In such a complex system as Windows 10, there are many uncovered vulnerabilities, and others are added in each Windows update. Of course, the updates are important, because they remove the already known vulnerabilities. The only sensible way to improve the consumers' security on Windows 10 (against uncovered vulnerabilities) is finding new vulnerabilities via the Bug Bounty Reward program. So, the researchers and hackers are still paid (by Microsoft) but cybercriminals cannot use these vulnerabilities before the patch is found (usually).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
But the hacker say that the bounty is too little. That's the reason for this public report.
We do not know for sure when he discovered this vulnerability and how long MS knows about it. Because it is related mainly to enterprises and allows privilege escalation (writing to system trusted locations), the patch will be pushed quickly. So, home users can happily forget about it. :)

Post edited.
 
Last edited:

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
this vulnerability and how long MS knows about it. Because it is related mainly to enterprises and allows privilege escalation, the patch will be pushed quickly.
I haven't fully checked myself, but have Microsoft actually officially acknowledge this as a vulnerability and also stated a patch is on it's way?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top