SandboxEscaper releases patched CVE-2019-0841 bypass

SandboxEscaper, a Cyber Security researcher has recently released the details of CVE-2019-0841. It has published on GitHub with the previously disclosed eight zero days that affects the Windows 10 and Windows server 2019.

We wrote about this eight zero-day vulnerability located in Task Scheduler last month. The bug enables users to automatically perform routine tasks on their machines. The flaw exploits in Task Scheduler’s component named SchRpcRegsiterTask enable registry of the task with the server. An arbitrary DACL that is discretionary access control list permission has been set due to the bug and so the proper check for permission hasn’t performed.

CVE-2019-0841 case

CVE-2019-0841 vulnerability exists hard disks is not properly handled by Windows AppX Deployment Service (AppXSVC). This exploit leads an attacker to successfully run process in an elevated context that enables them to install various programs and change and delete the stored data.

Microsoft Security Advisory states, this vulnerability allows low privileged users to hijacker files that are owned by NT AUTHORITY\SYSTEM by overwriting permission on the targeted file.

Cyber Security researcher, Nabeel Ahmed from Dimension Data Belgium states, the vulnerability allows an attacker to obtain the full control permission for low privileged users.

Microsoft patched the April 2019 bug Tuesday. SandboxEscaper said there is another way to bypass the CVE-2019-0841 vulnerability and allow the low privileged attacker to hijack files that are previously didn’t have any control over it.  To be clear, there is yet another LPE or Local privilege escalation vulnerability that can’t be exploited by hackers but they can use it to gain access to a set of files they wouldn’t normally have control over.

However, the SandboxEscaper today uses a novel technique. But there are some easier, faster ways to obtain local privilege elevation on Windows. The researcher promised to publish detail on another zero day on coming days.