A micropatch has been released today for a vulnerability in Windows that allows overwriting files, even system one, with arbitrary data.
The bug was disclosed on December 27 by the security researcher using the online alias SandboxEscaper. Before that, she tweeted that she let Microsoft know about the flaw in an email to Microsoft Security Response Center (MSRC).
Mitja Kolsek, CEO of Acros Security, announced that a micropatch is now available through the company’s 0patch product.
We have just issued a micropatch for SandboxEscaper’s #angrypolarbearbug 0day. The vulnerability allows a low-privileged user to have any file overwritten with the content of a Windows Error Reporting XML file. This could potentially lead to arbitrary code execution as SYSTEM. pic.twitter.com/KWzJ1nUNIo
— 0patch (@0patch) January 17, 2019
SandboxEscaper also published proof-of-concept (PoC) exploit code that overwrites the system component ‘pci.sys’ with the contents of a Windows Error Reporting file, specific for logging software and hardware problems on the system. Microsoft has yet to release a fix for the bug.
Kolsek says that the issue could potentially be exploited to run arbitrary code with SYSTEM privileges, the highest on a Windows.
The microcode solution works for 64-bit Windows 10 version 1803, although users needing a variant for other Windows versions are encouraged to contact the company.
Kolsek published a video showing how the 0Patch temporary fix prevents overwriting data in a protected file:
Micropatches are temporary solutions delivered in bite-size code that can solve a software security issue by streaming a fix to running processes. They are delivered through a local agent and do not require reboot of the system or relaunching the program.
Because ‘pci.sys’ is a component that ensures correct booting of the operating system, SandboxEscaper’s exploit can be used in its current form to cause a denial-of-service condition.
Will Dormann, a vulnerability analyst at CERT/CC, analyzed the PoC at the time of its release and said that the overwrite action was not 100% reliable.
However, someone interested in making it work could refine it for more consistent results.