Zero-day vulnerability in Windows allows privileges escalation

The flaw, still unpatched, allows an attacker to delete any type of file on a machine, including system data

A cybersecurity and digital forensics researcher has published a proof-of-concept for a zero-day vulnerability in Windows functional on fully patched Windows 10 machines. Exploiting the vulnerability would allow an attacker to delete any type of file on the victim’s computer, including system data.

The bug (not yet assigned CVE code, as it has just been discovered) is a privilege escalation zero-day vulnerability in Microsoft Data Sharing Services (dssvc. dll). This is a local service that runs as a LocalSystem account with broad privileges, and allows data to be distributed between applications.

According to the expert who published the proof of concept, the error allows malicious users to delete application libraries (ddl files), which means that the affected applications will look for their libraries in other places. If an application finds its way to a user written location, it gives the attacker the opportunity to load their own malicious library, putting the information stored on the machine at risk.

Mitja Kolsek, a specialist in digital forensics, detailed the potential of this vulnerability. “Even a user with few privileges can make a request to this service for an undocumented function, and this function verifies whether the requesting user has permissions to create a file in a location”, he explained. “To do so, overrides the user who requests it, try to create an empty file, remember if the creation of the file was successful and then delete it”.

Therefore, vulnerability can open the door to a series of malicious activities. “This could be exploited to facilitate lateral movement within an organization or even for potentially destructive purposes, such as removing key system files, making a system inoperable”, said Tom Parsons, an expert on cybersecurity.

In the proof of concept, a program called “Deletebug.exe” Removes a file from the system of the attacked computer, which means that a user can no longer restart it. Therefore, the machine becomes completely inoperable.

“What the proof of concept does, in simple terms, is that it calls the function in Data Sharing Service, which tells to perform an operation in the pci.sys file in a temporary folder and expect this file to be created. Then, it quickly traces that file to pci.sys in the system folder (where the user could not delete it)”, explained Kolsec. “As a result, the system file is deleted”.

Will Dormann, analyst of vulnerabilities in CERT/CC, in conjunction with Mitja Kolsec, were able to confirm the presence of the vulnerability and then exploit it on Windows 10 machines that had all the patches and updates available. Through Twitter, Dormann added that Data Sharing Service does not appear to be present in Windows 8.1 and earlier systems.

Digital forensics experts from the International Institute of Cyber Security were able to confirm that the vulnerability only works on Windows 10 and Server 2016 and 2019. In addition, they report that the bug allows non admin users to remove any files by abusing a new Windows service that does not verify any previously granted permission.

Although Microsoft has not yet issued any statement regarding this vulnerability, a micropatch from the 0Patch organization has proven to be effective in successfully blocking the vulnerability, generating a ACCES DENIED message against any attempt to user suplantation.

A zero-day vulnerability was also discovered last September in Microsoft Task Scehduler. The company patched up the vulnerability a few days later.