SandboxEscaper: A “researcher” who goes by the name SandboxEscaper has published two zero-days for Windows 10 this week. The first zero-day utilizes the TaskScheduler utility to import a .JOB file, a legacy file type from Windows XP which can still be run on newer windows versions. The .JOB file contains arbitrary DACL (discretionary access control list) control rights. In lack of a DACL, Windows 10 gives any user full access. During her proof of concept, SandboxEscaper begins with limited privileges on the system and ended up with full system rights following her exploit of the vulnerability. The second zero-day is in Internet Explorer (IE) 11 and allows an attacker to inject a DLL into a specific IE 11 process. When the injection is done successfully it will open a filepicker and an HTML page containing JavaScript. At this point, the exploit has disabled the Internet Protected Mode, allowing the JavaScript to run under lower security. The third release from SandboxEscaper was a POC of a previously reported zero-day which was patched this month during Microsoft’s monthly patch release. The POC was for AngryPolarBearBug2, which was a local privilege elevation vulnerability found in Windows Error Reporting. SandboxEscaper has expressed her disgust with the information security industry and those who work in it, as well as a desire to sell her exploits–including two unreleased ones, to foreign actors.
Analyst Notes
It is possible with three releases already this week we will see more next week.
