Security News Windows Zero-Day Affecting All OS Versions on Sale for $90,000

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
A hacker going by the handle BuggiCorp is selling a zero-day vulnerability affecting all Windows OS versions and that can allow an attacker to elevate privileges for software processes to the highest level available in Windows, known as SYSTEM.

Security firm Trustawave discovered the bug this past May, advertised on a Russian underground hacking forum for $90,000. The forum post's latest update was on May 23, and the initial price was of $95,000.

Zero-day affects all OS versions, over 1.5 billion users
BuggiCorp also posted two YouTube videos of the zero-day in action, one escalating the privileges of an application in Window 10 with the latest May 2016 security patch installed, and another video showing his exploit bypass all security features included in Microsoft's newest version of the EMET toolkit.

The crook wants payment in Bitcoin and is willing to provide escrow via the forum's administrator if needed.

BuggiCorp says he'll sell the exploit to only one person, and that the buyer will get the exploit's source code, a fully functional demo, the Microsoft Visual Studi0 2005 project file, and free future updates for any Windows version the exploit may fail to run on.

The seller wanted to be very clear that his exploit works on all Windows versions, which, according to Microsoft's statistics, may affect over 1.5 billion users.

Zero-day technical details are available
BuggiCorp also provided a few technical details in his forum post. Here are a few selections, translation courtesy of Trustwave.

The vulnerability exists in the incorrect handling of window objects, which have certain properties, and [the vulnerability] exists in all OS [versions], starting from Windows 2000.

[The] exploit is implemented for all OS architectures (x86 and x64), starting from Windows XP, including Windows Server versions, and up to current variants of Windows 10.

The vulnerability is of "write-what-where" type, and as such allows one to write a certain value to any address [in memory], which is sufficient for a full exploit. The exploit successfully escapes from ILL/appcontainer (LOW), bypassing (more precisely: doesn't get affected at all [by]) all existing protection mechanisms such as ASLR, DEP, SMEP, etc. [The exploit] relies solely on the KERNEL32 and USER32 libraries [DLLs].

[The] exploit is implemented for all OS architectures (x86 and x64), starting from Windows XP, including Windows Server versions, and up to current variants of Windows 10.

The [source code] project of the exploit and a demo example are written in C and assembly with MSVC 2005. The output is a "lib"-file which can later be linked to any other code, and [additional output from the source code project] is a demo EXE file which launches CMD EXE and escalates the privileges to SYSTEM account.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top