Windows 10 Sandbox activation enables zero-day vulnerability

silversurfer

Level 69
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
5,856
A reverse engineer discovered a new zero-day vulnerability in most Windows 10 editions, which allows creating files in restricted areas of the operating system. Exploiting the flaw is trivial and attackers can use it to further their attack after initial infection of the target host, albeit it works only on machines with Hyper-V feature enabled.

Reverse engineer Jonas Lykkegaard posted last week a tweet showing how an unprivileged user can create an arbitrary file in ‘system32,’ a restricted folder holding vital files for Windows operating system and installed software. However, this works only if Hyper-V is already active, something that limits the range of targets since the option is disabled by default and is present in Windows 10 Pro, Enterprise, and Education.
CERT/CC vulnerability analyst Will Dormann confirmed that the vulnerability exists and that exploiting it requires literally no effort from an attacker on the host. The researcher told BleepingComputer that the vulnerable component is ‘storvsp.sys’ (Storage VSP - Virtualization Service Provider), a server-side Hyper-V component.
 

lykk

New Member
Sep 7, 2020
1
yarh- the vsmb referred in the path is the smbcousion protocol used between hyper-vhost and inside guestvm
By opening the path .like that it is equilant to opening through \device\mup\;lanmanredirector\localhost\c$ for normal smb- but normal mup device impersonates and forces accesscheck.
 

v3n00m

Level 2
Dec 5, 2018
79
Works on my computer. The bypass uses "\Device\STORVSP\vSMB\??\" so I will test it tomorrow with disabled SMB protocols.

Edit.
This bypass works on my machine also with disabled SMB protocols.
that is very intrested also is it the smb protocols was disabled ?
 
Last edited:
  • Like
Reactions: Andy Ful

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,647
In such a complex system as Windows 10, there are many uncovered vulnerabilities, and others are added in each Windows update. Of course, the updates are important, because they remove the already known vulnerabilities. The only sensible way to improve the consumers' security on Windows 10 (against uncovered vulnerabilities) is finding new vulnerabilities via the Bug Bounty Reward program. So, the researchers and hackers are still paid (by Microsoft) but cybercriminals cannot use these vulnerabilities before the patch is found (usually).
 
Last edited:

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,647
But the hacker say that the bounty is too little. That's the reason for this public report.
We do not know for sure when he discovered this vulnerability and how long MS knows about it. Because it is related mainly to enterprises and allows privilege escalation (writing to system trusted locations), the patch will be pushed quickly. So, home users can happily forget about it. :)

Post edited.
 
Last edited:

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,170
this vulnerability and how long MS knows about it. Because it is related mainly to enterprises and allows privilege escalation, the patch will be pushed quickly.
I haven't fully checked myself, but have Microsoft actually officially acknowledge this as a vulnerability and also stated a patch is on it's way?
 
Top