RougePlanet Zero-Day
What's the exploit?
It escalates a low level user to NT SYSTEM level. Just below trusted installer
How does it work?
Well, in a nutshell, it exploits Windows Defender's Race condition. More in depth, the program creates a malware with a EICAR that is flagged by the brilliant windows defender. This means windows defender (I think) reads the file which is located in %TEMP%\(random characters)\System32. Now, what happens is that it sort-of takes out the file to look at it. The program sees that defender has taken it out, and makes a sort of link to where %TEMP%\(random characters)\System32 actually leads to C:\Windows\System32. Once windows defender realises its actually okay, it sends it back to the %TEMP%\(random characters)\System32 directory. But that links to C:\Windows\System32, so windows defender, which has the power to move stuff to C:\Windows\System32, moves it there. Now, what happens next is a new task scheduler service is initated, and triggers \Microsoft\Windows\Windows Error Reporting\QueueReporting which runs the malware, as, NT SYSTEM/AUTHORITY, which is the second highest power inside of windows (Trusted installer is still higher, but this is pretty powerful)
Is microsoft aware?
yes. And this, just as a heads up to the script kiddies, this doesn't have a 100% success rate on EVERY machine. For Example, I ran this on a VM and uhh... it was very quickly flagged by microsoft defender as malware and my browser did so this is pretty hit or miss. Some machines it works 100% of the time, others much, much less. Soo
Quick note:
I didn't really know what else to say, so this is pretty short (I guess). Not much to say.
[ ← back to all posts ]