Windows 10 News and info | Forum
January 17, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Windows Zero-Day Bug Allows Overwriting Files with Arbitrary Data  (Read 10 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 29435


I Do Windows


WWW Email
« on: December 30, 2018, 07:28:31 PM »
ReplyReply


click to enlarge
A security researcher has disclosed exploit code for a fourth zero-day vulnerability in Windows operating system in just as many months. The bug enables overwriting a target file with arbitrary data.

Running the proof-of-concept (PoC) code provided by the researcher that uses the online alias SandboxEscaper results in overwriting 'pci.sys' with information about software and hardware problems, collected through the Windows Error Reporting (WER) event-based feedback infrastructure.

PoC effect is not guaranteed

The researcher warns that the exploit she wrote works with some limitations and may not have the expected effect on some CPUs. For instance, she could not reproduce the bug on a machine with one CPU core.

The bug could also take a while to produce an effect, says SandboxEscaper, on account that it relies on a race condition and other operations may break the outcome.

This is confirmed by Will Dormann, a vulnerability analyst at CERT/CC, who was able to reproduce the bug  Windows 10 Home, build 17134. He also added that the overwrite does not occur consistently.



Mitja Kolsek, CEO of Acros Security, commented that 100% reliability wouldn't matter if the attacker had a way to verify the success of the exploit.



Since the target is 'pci.sys,' SandboxEscaper's PoC can cause a denial-of-service on the machine, from a user that does not have administrative privileges. 'Pci.sys' a system component necessary for correctly booting the operating system, since it enumerates physical device objects.



It could be used with other files, though. "There's nothing special about pci.sys. It was just used as an example of a file that shouldn't be able to be overwritten," Dormann told BleepingComputer.

"You can also use it to perhaps disable third-party AV software," SandboxEscaper speculates when describing the exploit.

Researcher rushed out the PoC but emailed Microsoft first
SandboxEscaper announced on December 25 that on New Year she would release publicly the PoC for a new bug in Windows, but changed her mind two days later and published the details.

She tweeted that she informed Microsoft Security Response Center (MSRC) about the bug "to give them a headstart." BleepingComputer reached out to MSRC for confirmation but haven't received a reply by publishing time.



This is SandboxEscaper's second public release of exploit code for a zero-day bug in Windows this month. On December 19 she published code that enables reading protected files.

In late August she published an exploit that increases privileges to SYSTEM on Windows via a vulnerability in the Task Scheduler component. Two months later, towards the end of October, she dropped a PoC for another privilege escalation bug that allows deleting without permission any file.

source
Logged



Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page January 06, 2019, 11:21:50 AM