Yesterday I reported how a rogue security researcher had released a zero-day exploit that could enable an attacker to read any file on a compromised Windows 10 computer. The researcher stated at the time that she had four more zero-days that were up for sale to non-western buyers. Two of those zero-day exploit bombs have now been dropped into the public domain instead. What are they, how worried should you be and what exactly is motivating SandboxEscaper?
On May 21 a security researcher going by the name of SandboxEscaper posted a proof of concept demo for a Windows zero-day exploit online. This local privilege escalation (LPE) exploit was the fifth in a series of zero-days that SandboxEscaper has dropped into the Windows environment over the last year. While it didn’t enable anyone to break into your computer, it did provide the means for an attacker with access to upgrade their system privileges to administrator and so have carte blanche as far as your files are concerned. Gavin Millard, vice-president of intelligence at security vendor Tenable, agrees. “To exploit, the attack has to have valid credentials on the target which is non-trivial on a well maintained and secure system,” Millard says, “but with the continued popularity of a single password rather than having credentials per service, it could be leveraged in a more targeted attack.”
Because this was a zero-day exploit, one that has been published without first giving the vendor an opportunity to fix the vulnerability before it can be exploited, it has left Windows 10 users at risk—most likely until June 11, when the next Patch Tuesday security updates are released by Microsoft. Things have just got a little more problematical with SandboxEscaper releasing on May 22 another two of the four remaining zero-days she claims to be in possession of. The first is similar to the local privilege escalation (LPE) exploit released on May 21, but this time exploiting a vulnerability in the Windows error reporting service. It is harder to exploit, and SandboxEscaper admits as much to the point of conceding it’s “not that much of an issue.” It is, however, still a vulnerability that can be exploited and others could well find more efficient methods to do so until it is patched. The second zero-day targets Internet Explorer 11, specifically allowing for the injection of malicious code. Again, this would not seem to be a critical vulnerability as the proof of concept code appears to reveal that it isn’t a remote exploitation threat but rather something a threat actor with access to the machine could use to disable internet protected mode for further attacks.
Again, I think that these zero-days are all worrying but not critical as they all require the attacker to already have access to the target system, or possibly use these exploits alongside a remotely executable one that amounts to the same. As such, the immediate threat to most users would appear quite low. That said, there are still two more exploits in the SandboxEscaper arsenal and we will have to wait and see what they bring when, and suggest it isn’t going to be if, they are released. Given the events so far this week I suspect we won’t have long to wait.
The motivation behind the release of these exploits doesn’t seem to be financial. The exploits themselves are not without value, to both vendors and threat actors alike, but given their relatively low threat impact probably wouldn’t be worth a fortune in bug bounties or if sold via an exploit broker. There are clues in the SandboxEscaper blog as to the real reasoning, and they are not subtle either: the motivation would seem to be getting back at the U.S. for a perceived injustice. The most telling is the confession that she has “most definitely given portions of my work to people who hate the U.S.” because “that’s what happens when the FBI subpoenas my google acc and intrudes my privacy.” SandboxEscaper goes on to suggest that the people who have access to the exploits “are going to use those bugs to get back at U.S. targets,” before finishing with, “an eye for an eye.” It’s not just the FBI and the U.S. that are on the receiving end of this apparent hatred, some of it is reserved for the information security industry itself. “F*ck this shitty industry. I don’t plan to make a career in it anyway,” SandboxEscaper writes, “I hate all the people involved in this industry.”
SandboxEscaper has now confirmed that the “windows error reporting bug was apparently patched this month” and so that’s one less to worry about. Unfortunately, she has also now released two more zero-day exploits: CVE-2019-0841-BYPASS which, as the name suggests, is a workaround exploit for an elevation of privilege vulnerability that was patched in the May Windows updates, and InstallerBypass which is another LPE vulnerability but problematical to execute so likely not going to have a high risk impact. This now makes a total of nine exploits, eight of which are zero-days, released across the last ten months by SandboxEscaper. It also marks the end of the exploit spree, at least for now, as there is no further information to suggest she has any more exploit bombs ready to drop. I would also like to add that mental health issues in the information security industry are rife and reading her blog entries it certainly appears that depression has played a part in SandboxEscaper taking this destructive path with her undoubted abilities. I sincerely hope, despite what she has done, that she can get some help with all this and find some inner peace…