Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
BankIslami hit by Cyber Attack, $6 Million Stolen
October 28, 2018
REWTERZ THREAT ADVISORY – CVE-2018-15454 – Cisco zero-day exploited to crash devices and cause Denial of Service
November 2, 2018
A new ‘windows file-delete vulnerability’ with PoC is posted online that may lead to local privilege escalation via DLL hijacking.
IMPACT: NORMAL
PUBLISH DATE: 30-10-2018
OVERVIEW
This new bug with Proof-of-Concept was found leaked on Twitter by a researcher SandboxEscaper. The bug can be exploited to cause arbitrary windows file deletion and gain escalated privileges via DLL hijacking. The 0 Day vulnerability is still unpatched by the vendor. However, 0Patch has released a free micro-patch for fixing the bug.
ANALYSIS
The researcher who has found this bug said, “[It’s] Not the same bug I posted a while back, this doesn’t write garbage to files but actually deletes them. meaning you can delete application DLL’s and hope they go look for them in user write-able locations. Or delete stuff used by system services c:\windows\temp and hijack them.”
This ‘Deletebug’ vulnerability in Microsoft Data Sharing Service (dssvc.dll) lets non-admins abuse a new Windows service to delete any file without checking permissions. Once the deletebug.exe deletes pci.sys on the computer, it can no longer be restarted to make sure you test on a virtual machine, for reverting to a state before you ran deletebug.exe.
The vulnerability hasn’t been patched by Microsoft, however, a free micro-patch was released by 0Patch that fixes the bug in Microsoft Data Sharing Service. The micro-patch adds impersonation to the DeleteFileW call, hence blocking the exploit.
The Delete operation is then denied access due to the impersonation, as shown in the figure below. The vulnerability is reported in Windows 10 / Server 2016 whereas Windows 7 And Windows 8 aren’t affected.
AFFECTED PRODUCTS
Windows 10 and Server 2016 & 2019
UPDATES
Until Microsoft releases a patch, this arbitrary-delete vulnerability for fully updated Windows 10 1803 is fixed by 0Patch in a free micro-patch. Users with online 0patch Agents will have it auto-applied within 60 minutes.
All users can download the micro-patch from 0patch.com.
If you think you’re a victim of a cyber-attack, immediately send an e-mail to soc@rewterz.com.