The Hacker group Sanboxscraper has Published Two More Microsoft Zero-Day Vulnerability, which remains Unpatch.
Microsoft patched CVE-2019-0841 in the April 2019 Patch Tuesday,
Which defines as, “An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data.”
Later Microsoft has patched the vulnerability But the SandboxEscaper’s exploit code in Github explains that there is still a way to bypass CVE-2019-0841.
How to Bypass CVE-2019-0841
The first zero-day that SandboxEscaper published today, which is able to bypass Microsoft’s current patch for CVE-2019-0841.
CVE-2019-0841 is a vulnerability that allows low privileged users to hijack files that are owned by NT AUTHORITY\SYSTEM by overwriting permissions on the targeted file. Successful exploitation results in “Full Control” permissions for the low privileged user, according to Nabeel Ahmed of Dimension Data Belgium, who Microsoft credited with discovering this bug in the first place.
The Second Zero-Day also published by SandboxEscaper today, which targets the Windows Installer folder (C:\Windows\Installer)
“Figure out how this works for yourself. I can’t be bothered. It’s a really hard race, doubt anyone will be able to repro anyway. Could be used with malware, you could programmatically trigger the rollback.
Maybe you can even pass the sil”ent flag to hide installer UI and find another way to trigger rollback (i.e through installer api, injecting into medium IL msiexec etc)\b\par.”
This exploit code can abuses the msiexec /fa (Repair Installation) operation, can be used to inject the malware and take over computers on which hackers had initially gained access only to a low-privileged account.
Currently, the two Microsoft Zero-days is available, we hope Microsoft will be patched these two vulnerabilities soon.
We will notify you once it patched.