Active Spy Campaign Exploits Unpatched Windows Zero-Day

Discussion in '0-day Release' started by silversurfer, Sep 6, 2018.

  1. silversurfer

    silversurfer Malware Tester Silver Member

    The recently discovered Windows zero-day – which still doesn’t have a patch – has been used in the wild for the last week, with an active info-stealing campaign emerging just two days after its disclosure on Twitter.

    The flaw is a local privilege escalation vulnerability in the Windows Task Scheduler’s Advanced Local Procedure Call (ALPC) interface — it allows a local unprivileged user to change the permissions of any file on the system and modify it, including system files that are executed by privileged processes.

    Security researcher “SandboxEscaper” spilled the beans on the flaw on August 27 with some amount of frustration in the vulnerability reporting process: “I don’t [redacted] care about life anymore. Neither do I ever again want to submit to MSFT anyway,” the researcher said in a since-deleted tweet, while linking to a proof-of-concept (PoC) exploit code on GitHub.

    The PoC was straightforward: “SandboxEscaper’s PoC specifically overwrites a printing-related DLL to make it launch notepad.exe, then triggers the Print Spooler service (spoolsv.exe) to load the DLL,” explained researchers at Barkly, in a blog about the newly-discovered exploit posted Wednesday. “As a result, notepad.exe is spawned as SYSTEM.”

    jasonX, Der.Reisende and RGiskardR like this.
  2. Google Adsense

Share This Page