SandboxEscaper disclosed 3 Microsoft Zero-Day in 24 Hours

Yesterday SandboxEscaper publicly disclosed a Windows zero-day vulnerability, now she disclosed other two unknown issues in less than 24 hours.

Just Yesterday, the popular developer SandboxEscaper publicly disclosed a Windows zero-day vulnerability in the Task Manager, now in less than 24 hours the revealed two more unpatched Microsoft zero-day flaws.

The two new zero-day issues affect the Microsoft Windows Error Reporting service and the Internet Explorer 11.

The new disclosure is not surprising and previously announced by SandboxEscaper. Yesterday SandboxEscaper announced at least another four Windows zero-day vulnerabilities, Three local privilege escalation (LPE) issues leading to code execution and a sandbox escape.

SandboxEscaoer initially thought to sell the exploits for the above issue to non-western buyers and asks the Local Privilege Escalation bugs for at least 60,000 each.

One of the Microsoft zero-day vulnerabilities disclosed in these hours affects the Windows Error Reporting service, it could be exploited using a discretionary access control list (DACL) operation. A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object.

An attacker could exploit the flaw to delete or edit any Windows file, including system executables.

The issue was dubbed AngryPolarBearBug2 by SandboxEscaper because is linked to another Windows Error Reporting service flaw she found in 2018 and that she called AngryPolarBearBug. The AngryPolarBearBug could be exploited by a local, unprivileged attacker to overwrite any chosen file on the system.

SandboxEscaper explained that the Windows zero-day is hard to exploit.

“It can take upwards of 15 minutes for the bug to trigger. If it takes too long, closing the program, cleaning out the reportarchive folder in programdata (it may mess up the timing if there’s too many reports in there as result of running our poc for too long), deleting the c:\blah folder.. etc.. might help.” wrote the expert.

“I guess a more determined attacker might be able to make it more reliable. It is just an insanely small window in which we can win our race, I wasn’t even sure if I could ever exploit it at all. “

“I don’t see a way to use OPLOCKS to reliably win the race.. and while I can make it work fairly reliable in my VM, I need to use a “rand()” function to bruteforce a delay needed to hit the correct timing.. because this timing will vary wildly from hardware setup to setup.”

The second Microsoft zero-day flaw disclosed by SandboxEscaper affects Microsoft’s web browser, Internet Explorer 11 (IE11).

The expert did not share technical details on the issue but published a video PoC that shows the vulnerability could be exploited by tricking the victim’s browser into handling a maliciously crafted DLL file. Below the link to the video.

The zero-day could be exploited by an attacker to bypass IE Protected Mode sandbox and execute arbitrary code with Medium integrity permissions.

Since August, SandboxEscaper has publicly dropped exploits for two Windows zero-day vulnerabilities forcing Microsoft to quickly address them to avoid its users being targeted by hackers.

In October, SandboxEscaper released the proof-of-concept exploit code for Microsoft Data Sharing that allowed a low privileged user to delete critical system files from Windows systems.

In December, she published a proof-of-concept (PoC) code for a new Windows zero-day, it is the fourth she released this year.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase