Windows 0-day pops up out of nowhere Twitter
Privilege escalation exploit, for which no patch exists, dumped on GitHub
It's not a vulnerability bad enough to force Microsoft to release an out-of-cycle patch – however, CERT/CC has just put out an alert over a newly disclosed privilege escalation bug in Windows.
According to the tweet that set the hounds running, it's a zero-day with a proof-of-concept over on GitHub:
Here is the alpc bug as 0day: https://t.co/m1T3wDSvPX I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.— SandboxEscaper (@SandboxEscaper) August 27, 2018
CERT/CC vulnerability analyst Will Dormann quickly verified the bug, tweeting: “I've confirmed that this works well in a fully-patched 64-bit Windows 10 system. LPE right to SYSTEM!” That LPE is a local privilege escalation – meaning malware or malicious logged-in users can use it to gain control of the system.
CERT/CC has finished its more formal investigation, and has just posted this vulnerability advisory.
“Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges,” the alert stated.
ALPC, Advanced Local Procedure Call, restricts the impact somewhat, since it's a local bug: you have to be already logged in, or running code on, a machine to hijack it. However, it opens an all-too-familiar attack vector: if an attacker can get a target to download and run an app, local privilege escalation gets the malware out of the normal user context up to, in this case, system privileges. Ouch.
The vulnerability note stated: “The CERT/CC is currently unaware of a practical solution to this problem.”
A Microsoft spokesperson told us it will “proactively update impacted advices as soon as possible.” ®