For a third time in four months, a security researcher announces a zero-day vulnerability in Microsoft Windows and provides exploit code that allows reading into unauthorized locations.
Known by the moniker SandboxEscaper, the researcher released details about a security vulnerability affecting ReadFile.exe, which, as its name indicates, allows reading data from specific locations.
Exploit code works
The glitch is in the "
MsiAdvertiseProduct" function, which Microsoft describes as being able to generate an advertise script or advertises a product to the computer" and that it "enables the installer to write to a script the registry and shortcut information used to assign or publish a product."
Calling this function leads to an arbitrary file copy by the installer service, which is controllable by the attacker, the
researcher explains.
SandboxEscaper explains that despite a check being done, the protection can be bypassed via a time to check to time to use (TOCTOU) race condition type.
The end result, she says, is the possibility to copy any files with SYSTEM privileges, with the destination being readable at all times. Because of this, she calls it an arbitrary file read vulnerability.
SandboxEscaper also makes available a video to demonstrate her findings:
... ... ....