Zero-day vulnerability in Windows allows overwriting any file

This is the fourth zero-day vulnerability in Windows revealed in December 2018

A cybersecurity researcher has revealed the code to exploit critical zero-day vulnerability present in the Windows operating system, the fourth security error of this class presented during the last month of 2018. According to specialists from the International Institute of Cyber Security, this vulnerability would allow overwriting files with arbitrary data.

According to the researcher, identified with the alias ‘SandboxEscaper’, executing the code of her proof of concept results in the overwriting of ‘pci.sys’ with information about software and hardware problems, compiled through Windows Error Reporting events-based feedback.

The cybersecurity specialist warns that her exploit works with some limitations, and in some systems could not find the expected effect. As an example, the investigator commented that she was not able to exploit the vulnerability in a computer with a single core CPU.

In addition, SandboxEscaper adds that the time for the bug to produce some effect may vary depending on the system, as some other operation might disrupt the process or break the result.

This is confirmed by Will Dormann, a cybersecurity analyst from CERT/CC, who was able to reproduce the vulnerability Windows 10 Home Built 17134, adding that file overwriting is not presented consistently.

On the other hand, Mitja Kolsec, director of a cybersecurity firm, says the exploit’s reliability range is a minor drawback if a hacker is able to verify the success of the exploit.

Due to the attack focusing on ‘pci.sys’, the proof of concept designed by SandboxEscaper could generate a denial-of-service condition on the machine of a user without administrator privileges because ‘pci.sys’ is a component of the system necessary to start the operating system correctly, as it enumerates the objects of the physical device.

Still, Dormann comments that the exploit could be used against other files because ‘pci.sys’ was used simply as an example of a file that should not be able to be overwritten”.

SandboxEscaper had announced that at the beginning of the year 2019 would publish the proof of concept for a new bug in Windows, although a few days later she anticipated this deadline and published the details about this zero day vulnerability. The specialist posted via Twitter that she had already informed Microsoft about the incident, although the company has not made any statement about this vulnerability.

This is the second time that SandboxEscaper publishes critical zero-day vulnerability proof of concept for Windows. A few weeks ago, the same specialist published a code with which any user was able to read protected files on this system.