Windows Zero-Day PoC Lets You Read Any File with System Level Access

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Forum Veteran
Feb 4, 2016
2,516
15,625
3,578
53
Germany / Poland
Content source
https://www.bleepingcomputer.com/news/security/windows-zero-day-poc-lets-you-read-any-file-with-system-level-access/
For a third time in four months, a security researcher announces a zero-day vulnerability in Microsoft Windows and provides exploit code that allows reading into unauthorized locations.
Known by the moniker SandboxEscaper, the researcher released details about a security vulnerability affecting ReadFile.exe, which, as its name indicates, allows reading data from specific locations.

Exploit code works

The glitch is in the "MsiAdvertiseProduct" function, which Microsoft describes as being able to generate an advertise script or advertises a product to the computer" and that it "enables the installer to write to a script the registry and shortcut information used to assign or publish a product."
Calling this function leads to an arbitrary file copy by the installer service, which is controllable by the attacker, the researcher explains.
SandboxEscaper explains that despite a check being done, the protection can be bypassed via a time to check to time to use (TOCTOU) race condition type.
The end result, she says, is the possibility to copy any files with SYSTEM privileges, with the destination being readable at all times. Because of this, she calls it an arbitrary file read vulnerability.
SandboxEscaper also makes available a video to demonstrate her findings:
... ... ....
Click to expand...
 
  • Like
Reactions: ChemicalB, upnorth and harlan4096
She also managed to get the attention of the FBI, as she received a notification from Google about the agency issuing a subpoena for information release about her Google account. The reason before FBI's move is currently unknown, but it may not be in relation to SandboxEscaper dumping Windows zero-days and exploit code into the public space. It could have something to do with a short-lived tweet from her allegedly containing a threat against the US President.
Click to expand...
What about Secret Service? :emoji_thinking:
JM Security said:
Hope this vulnerability will be fixed soon. Very soon.
Click to expand...
Keep an eye open on 0patch as they working on it.

 
  • Like
Reactions: ChemicalB and JM Safe
You must log in or register to reply here.

You may also like...