Mysterious and angry SandboxEscaper in two days posted some more 0-day exploits for Windows in open access

Just a day after publication of PoC-code for bug exploitation in Windows Task Planner specialist in cybersecurity that uses nickname SandboxEscaper, published two more working exploits.

First one for vulnerability in Windows Error Reporting Service and second for the bug in the Internet Explorer browser.

Vulnerability in Windows Error Reporting Service that was named AngryPolarBearBug2, can be exploited through the DACL (Discretionary Access Control List) that is a list of selective access control. This bug is quite difficult to exploit, but with the successful attempt, it allows edit files that user with low access rights cannot change.

Second vulnerability contains Internet Explorer 11 browser. According to the description, attacker can use this bug for implementation of the malware code in IE. Exploit does not allow remote exploitation, but can be used for blocking of browser’s security functions.

SandboxEscaper said that she has four 0-day exploits and that she wants to sale them to non-Western contries buyers. However, she may have changed her mind.

“F*ck this shitty industry. I don’t plan to make a career in it anyway, I hate all the people involved in this industry.”, — SandboxEscaper writes.

She continued publications on GitHub, published information and PoC for two more 0–day vulnerabilities, perhaps being angry that FBI requested Google regarding her account.

The first problem allows bypassing patches for CVE-2019-0841 vulnerability that was fixed by Microsoft engineers in April 2019. This vulnerability linked with Windows AppX Deployment Service (AppXSVC) and enables local rise of privileges in system.

Second vulnerability linked to Windows Installers (C:\Windows\Installer).

SandboxEscaper on Twitter. Now her account is blocked
SandboxEscaper on Twitter. Now her account is blocked

SandboxEscaper writes that during a short time it is possible to interfere in process of application installation and put files in the unauthorized OS areas. Bug exploits msiexec /fa functionality (it used for fixing installation errors) and allows attacker to put malware in the random place, rising his rights with it. Therefore, this vulnerability is also linked with local rise of privileges.

Microsoft representatives did not react on the publication of fresh exploits. Considering that problem does not enable remote random code execution can be suggested that patches will not be released before next “tuesday updates”.

“It marks the end of the exploit spree, at least for now, as there is no further information to suggest she has any more exploit bombs ready to drop”, — suggests Forbes columnist and PC Pro Magazine editor Davey Winder.

Winder also finds important to add that:

Mental health issues in the information security industry are rife and reading her blog entries it certainly appears that depression has played a part in SandboxEscaper taking this destructive path with her undoubted abilities.


About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

MageCart on the Heroku Cloud Platform

Researchers Found Several MageCart Web Skimmers On Heroku Cloud Platform

Researchers at Malwarebytes reported about finding several MageCart web skimmers on the Heroku cloud platform …

Android Spyware CallerSpy

CallerSpy spyware masks as an Android chat application

Trend Micro experts discovered the malware CallerSpy, which masks as an Android chat application and, …

Leave a Reply