Windows Zero-Day Affecting All OS Versions on Sale for $90,000

Share this…

Over 1.5 billion users in danger thanks to new exploit. A hacker going by the handle BuggiCorp is selling a zero-day vulnerability affecting all Windows OS versions that can allow an attacker to elevate privileges for software processes to the highest level available in Windows, known as SYSTEM.

Security firm Trustawave discovered the bug this past May, advertised on a Russian underground hacking forum for $90,000. The forum post’s latest update was on May 23, and the initial price was of $95,000.

Zero-day affects all OS versions, over 1.5 billion users

BuggiCorp also posted two YouTube videos of the zero-day in action, one escalating the privileges of an application in Window 10 with the latest May 2016 security patch installed, and another video showing his exploit bypass all security features included in Microsoft’s latest version of the EMET toolkit.

The crook wants payment in Bitcoin, and is willing to provide escrow via the forum’s administrator if needed.

BuggiCorp says he’ll sell the exploit to only one person, and that the buyer will get the exploit’s source code, a fully-functional demo, the Microsoft Visual Studi0 2005 project file, and free future updates for any Windows version the exploit may fail to run on.

The seller wanted to be very clear that his exploit works on all Windows versions, which according to Microsoft’s statistics may affect over 1.5 billion users.

Zero-day technical details are available

BuggiCorp also provided a few technical details in his forum post. Here are a few selections, translation courtesy of Trustwave.

  The vulnerability exists in the incorrect handling of window objects, which have certain properties, and [the vulnerability] exists in all OS [versions], starting from Windows 2000.  

  [The] exploit is implemented for all OS architectures (x86 and x64), starting from Windows XP, including Windows Server versions, and up to current variants of Windows 10.  

  The vulnerability is of “write-what-where” type, and as such allows one to write a certain value to any address [in memory], which is sufficient for a full exploit. The exploit successfully escapes from ILL/appcontainer (LOW), bypassing (more precisely: doesn’t get affected at all [by]) all existing protection mechanisms such as ASLR, DEP, SMEP, etc. [The exploit] relies solely on the KERNEL32 and USER32 libraries [DLLs].  

  [The] exploit is implemented for all OS architectures (x86 and x64), starting from Windows XP, including Windows Server versions, and up to current variants of Windows 10.  

  The project of the exploit and a demo example are written in C and assembly with MSVC 2005. The output is a “lib”-file which can later be linked to any other code, and [additional output from the source code project] is a demo EXE file which launches CMD EXE and escalates the privileges to SYSTEM account.  

BuggiCorp's forum post (Russian)

Trustwave and other infosec experts think the zero-day is overpriced, but they believe someone will eventually pay it.

The zero-day is overpriced compared to other zero-days

To get an idea of the prices of exploits and hacking tools, here are two examples, a price list from a well-known government software and exploit vendor called Zerodium, and a price list of hacking services on underground forums from a Dell report.

Additionally, experts also believe the zero-day is not worth that much because it can’t be used to infect computers, but only to escalate access, being a second-phase exploit, usually used to gain boot persistence.

“While the most coveted zero day would be a Remote Code Execution (RCE) exploit, Local Privilege Escalation vulnerabilities are likely next in line in popularity,” the Trustwave team explains. “Although such an exploit can’t provide the initial infection vector like a Remote Code Execution (RCE) would, it is still a very much needed puzzle piece in the overall infection process.”

Microsoft was one of the first companies to set up a bug bounty program, and despite the large number of malware targeting its operating systems, the company is widely respected in the security field. Many security firms point at Microsoft as the company with the best approaches in regards to product security on the market today.