A new zero-day Exploit Leaked to Bypass Already Patched Vulnerability (CVE-2019-0841)

An exploit broker and hacker, SanboxEscaper made a comeback and published the details about a new zero-day which affects the already patched local privilege escalation vulnerability, CVE-2019-0841 on Windows 10 and Windows 9 operating server.

The details of the zero-day have been published on GitHub and the account and repository from which the details were leaked are the same as the ones which attributed to the leaks of 8 other previously released zero-days. 

SandboxEscaper have been actively involved in leaking zero-day exploits since August 2018, some of the previously leaked zero-days are listed below:

LPE in Advanced Local Procedure Call (ALPC)
LPE in Microsoft Data Sharing (dssvc.dll)
LPE in the Windows Error Reporting (WER) system
LPE exploit in the Windows Task Scheduler process
Sandbox escape for Internet Explorer 11
Bypass of the CVE-2019-0841 protections
LPE targeting the Windows Installer folder

The hacker who recently exploited CVE-2019-0841 vulnerability which was patched by Microsoft in April can further install malicious programs, edit and delete data. The vulnerability can be executed by deleting all files, folders, and subfolders in the Edge Browser.

Commenting on the matter, Will Dormann, Vulnerability Analyst at the CERT/CC, says, “I’ve confirmed that this works on a fully-patched (latest May updates) Windows 10 (1809 and 1903) system. This exploit allows a normal desktop user to gain full control of a protected file.”

“Make sure you have multiple cores in your VM (not multiple processors, multiple \b cores\b0 ).\par. It’s going to increase the thread priority to increase our odds of winning the race condition that this exploits”

Basically, it requires the attacker to log in as a local user and then execute this exploit which triggers the vulnerability, which then allows the attacker to access and change system permissions and gain full control of the system making him act as the admin.