SandboxEscaper is known for publicly dropping zero-day exploits for unpatched Windows vulnerabilities. In the past year, the hacker has disclosed over half a dozen zero-day vulnerabilities in Windows OS without actually bothering to make Microsoft aware of the issues first.
Just two weeks ago, the hacker disclosed four new Windows exploits, one of which was an exploit that could allow attackers to bypass a patched elevation of privilege vulnerability (CVE-2019-0841) in Windows that existed when Windows AppX Deployment Service (AppXSVC) improperly handles hard links.
Now, the hacker claims to have found a new way to bypass Microsoft security patch for the same vulnerability, allowing a specially crafted malicious application to escalate its privileges and take complete control of patched Windows machine.
Dubbed ByeBear, as shown in the video demonstration, the new exploit abuses Microsoft Edge browser to write discretionary access control list (DACL) as SYSTEM privilege.
"It's going to increase the thread priority to increase our odds of winning the race condition that this exploits. If your VM freezes, it means you either have 1 core or set your VM to have multiple processors instead of multiple cores... which will also cause it to lock up," SandboxEscaper explains.
Become an Incident Response Pro!
Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!Don't Miss Out – Save Your Seat!
"This bug is most definitely not restricted to the edge. This will be triggered with other packages too. So you can definitely figure out a way to trigger this bug silently without having edge pop up. Or you could probably minimize edge as soon as it launches and closes it as soon as the bug completes."
"I think it will also trigger by just launching edge once, but sometimes you may have to wait for a little. I didn't do extensive testing...found this bug and quickly wrote up a PoC, took me like 2 hours total, finding LPEs is easy."
The next patch Tuesday updates from Microsoft are due on 11th June, and it would be interesting to see if the company would acknowledge four previous exploits and the new one and release security fixes to address them.