Threat Watch

Windows Zero-Day Exploited in the Wild for Sandbox Escape

Details about a Windows driver bug have been released by the Google Project Zero team before any patch for the bug has been made available by Microsoft. The vulnerability allows local privilege escalation and sandbox escape. The disclosure came seven days after the bug was discovered and according to researchers, is already being exploited by attackers. With specially crafted calls, an attacker can trigger a pool-based overflow which leads to a system crash and opens the door for exploitation. According to the Project Zero Team, “the bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue.”

A proof of concept was put together that shows the ease of triggering the attack. The POC was crafted for a current 64-bit version of Windows 10, but researchers explained that it could affect versions back to Windows 7.

ANALYST NOTES

Many people have questioned the reason why Google released the Proof of Concept and other details before a patch for the zero-day was released. Responses from Google team members have stated that the vulnerability is being used as part of an exploit chain and the entry point attack in Google Chrome has been fixed. Researchers from the Project Zero Team stated that Microsoft is expected to have a patch released on their next patch Tuesday, November 10th. When the patch is released, it must be downloaded by all. This should be a common practice within all organizations to update and patch systems quickly and often. Another Google researcher also stated that now that details about the attack have been released, it is easier for companies to detect if they are being targeted. Monitoring services should be in a place, such as Binary Defense’s Managed Detection and Response, which will detect behaviors such as when an attacker escalates privileges to administrator.

More can be read here: https://threatpost.com/unpatched-windows-zero-day-exploited-sandbox-escape/160828/