A new ‘windows file-delete vulnerability’ with PoC is posted online that may lead to local privilege escalation via DLL hijacking.
PUBLISH DATE: 30-10-2018
This new bug with Proof-of-Concept was found leaked on Twitter by a researcher SandboxEscaper. The bug can be exploited to cause arbitrary windows file deletion and gain escalated privileges via DLL hijacking. The 0 Day vulnerability is still unpatched by the vendor. However, 0Patch has released a free micro-patch for fixing the bug.
The researcher who has found this bug said, “[It’s] Not the same bug I posted a while back, this doesn’t write garbage to files but actually deletes them. meaning you can delete application DLL’s and hope they go look for them in user write-able locations. Or delete stuff used by system services c:\windows\temp and hijack them.”
This ‘Deletebug’ vulnerability in Microsoft Data Sharing Service (dssvc.dll) lets non-admins abuse a new Windows service to delete any file without checking permissions. Once the deletebug.exe deletes pci.sys on the computer, it can no longer be restarted to make sure you test on a virtual machine, for reverting to a state before you ran deletebug.exe.
The vulnerability hasn’t been patched by Microsoft, however, a free micro-patch was released by 0Patch that fixes the bug in Microsoft Data Sharing Service. The micro-patch adds impersonation to the DeleteFileW call, hence blocking the exploit.
The Delete operation is then denied access due to the impersonation, as shown in the figure below. The vulnerability is reported in Windows 10 / Server 2016 whereas Windows 7 And Windows 8 aren’t affected.
Windows 10 and Server 2016 & 2019
Until Microsoft releases a patch, this arbitrary-delete vulnerability for fully updated Windows 10 1803 is fixed by 0Patch in a free micro-patch. Users with online 0patch Agents will have it auto-applied within 60 minutes.
All users can download the micro-patch from 0patch.com.
If you think you’re a victim of a cyber-attack, immediately send an e-mail to firstname.lastname@example.org.