May 2019 0-day disclosures

Starting Tuesday, May 21, a security researcher publicly disclosed multiple elevation-of-privilege vulnerabilities by posting proof-of-concept code on GitHub. Successful exploitation of these vulnerabilities requires an attacker to already have code execution.

Table of Contents

The researcher has released six sets of proof-of-concept code, five of which exploit four zero-day vulnerabilities affecting different Windows components. The sixth proof-of-concept code targeted a vulnerability (CVE-2019-0863) that was addressed in May 2019. As part of the June 2019 Security Updates, Microsoft has also released fixes for four other affected vulnerabilities.

Microsoft is actively preparing a host of protections to detect and stop known exploitation methods. Customers are advised to review the listed mitigations. Ensure your antimalware products are up-to-date and turn on automatic updates so that security updates are promptly deployed as soon as they become available.

At the time of publication, there are no active attacks in the wild exploiting the disclosed vulnerabilities. Below are some details about the vulnerabilities, listed under names used by the security researcher.

  • BearLPE (CVE-2019-1069)—An elevation-of-privilege vulnerability in the Task Scheduler component of Windows. An attacker who successfully exploits this vulnerability would be able to import a scheduled task as a non-privileged user and use the vulnerability to execute arbitrary code as SYSTEM. A fix for this vulnerability is available with the June 2019 Security Updates.
  • SandboxEscape (CVE-2019-1053)—An elevation-of-privilege vulnerability in the Windows Shell file picker component accessed through Internet Explorer. An attacker who successfully exploits this vulnerability would be able to escape the browser sandbox, which provides defense in depth. A fix for this vulnerability is available with the June 2019 Security Updates.
  • AngryPolarBearBug2 (CVE-2019-0863)—A known elevation-of-privilege vulnerability in the Windows Error Reporting component. This vulnerability is documented as CVE-2019-0863 | Windows Error Reporting Elevation of Privilege Vulnerability and was addressed in the May 2019 security update.
  • CVE-2019-0841-Bypass (CVE-2019-1064)—CVE-2019-0841 is a vulnerability in the Windows AppX Deployment Service (AppXSVC) that was patched in the May 2019 security updates. The posted proof-of-concept code bypasses the fix in the update through a flaw now identified as CVE-2019-1064. An attacker could exploit the Windows AppX Deployment Service to write a discretionary access control list (DACL) that can be utilized to elevate permissions. An attacker who successfully utilizes this vulnerability could execute code as a non-privileged user and use this vulnerability to run arbitrary code as SYSTEM. A fix for this vulnerability is available with the June 2019 Security Updates.
  • InstallerBypass (CVE-2019-0973)—The posted proof-of-concept exploit utilizes the rollback feature of Msiexec, the Windows Installer Service, to elevate privileges and place files in the System32 directory. If an attacker was able to successfully exploit this vulnerability, they could place binaries in the System32 directory and run them with elevated privileges. A fix for this vulnerability is available with the June 2019 Security Updates.
  • ByeBear or CVE-2019-0841-Bypass 2 (no new CVE ID assigned)—Posted in June 7, 2019, the proof-of-concept exploit is another bypass for the CVE-2019-0841 fix released in the May 2019 security updates. Microsoft will provide updates on the CVE ID as well as possible fixes for this vulnerability. In the meantime, monitor exploitation activity using the EDR detection "Possible AppXSVC elevation-of-privilege exploit".

Key insights

  • The disclosed vulnerabilities can potentially be exploited to achieve privilege escalation. To perform exploitation, the attacker must already have code execution capabilities.
  • At the time of publication, Microsoft has not yet observed real-world attacks that exploit the disclosed vulnerabilities or use the published proof-of-concept code.
  • Microsoft is actively reviewing the disclosures and will take appropriate action based on security impact.
  • Customers are advised to review the list of recommended mitigations. We have prepared multiple protections designed to identify and block exploitation of disclosed vulnerabilities. We will continue to prepare and release more protections.

Mitigations

Apply these mitigations to reduce the impact of exploitation of these vulnerabilities.

  • Prioritize the deployment of the May 2019 Security Updates to address the Windows Error Reporting vulnerability or AngryPolarBearBug2 (CVE-2019-0863).  Deploy the June 2019 Security Updates to address BearLPE (CVE-2019-1069), SandboxEscape (CVE-2019-1053), CVE-2019-0841-Bypass (CVE-2019-1064), and InstallerBypass (CVE-2019-0973). 
  • While fixes for ByeBear or CVE-2019-0841-Bypass 2 are being prepared, monitor exploitation activity using the EDR detection "Possible AppXSVC elevation-of-privilege exploit".
  • An attacker must already have code execution capabilities to exploit any of the vulnerabilities. You can reduce the likelihood of attackers obtaining these capabilities by securing Microsoft Office to prevent code execution via malicious documents, blocking unnecessary attachment types. Follow standard guidance in the security baselines for Office and Office 365 and the Windows security baselines.
  • The existing proof-of-concept exploit code for the Task Scheduler flaw (BearLPE) requires valid credentials.  Attacks will need to be tailored to use known credentials or credentials that can be easily guessed. Maintain credential hygiene and enforce strong, randomized local administrator passwords with tools like LAPS.
  • Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. 
  • Deploy the latest security updates as soon as they become available.

 

Detection details

Antivirus

Windows Defender Antivirus detects known exploit code and possible exploitation attempts as the following malware:

  • Behavior:Win32/Belonar.A (SandboxEscape activity) 
  • Exploit:Win64/Anpobe.A (AngryPolarBearBug2 exploit code)
  •  Behavior:Win32/Belonar.B (BearLPE activity)
Endpoint detection and response (EDR)

Alerts with the following titles in the Microsoft Defender Security Center portal can indicate threat activity on your network:

  • Possible elevation-of-privilege exploit for CVE-2019-0863
  • Possible AppXSVC elevation-of-privilege exploit
  • Possible Task Scheduler elevation-of-privilege exploit
  • Task Scheduler elevation-of-privilege exploit
  • Anomalous file write to a protected folder by an unprivileged process
  • Junction folder abuse
  • Task Scheduler exploit code
  • Windows Error Reporting exploit code
  • Internet Explorer exploit code
Advanced hunting

To locate possible exploitation activity, run the following queries:

//Find possible CVE-2019-0863 exploitation
ProcessCreationEvents
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine contains "Windows Error Reporting"
and ProcessCommandLine contains "/run"

 

//Find possible use of BearLPE (Task Scheduler exploit) 
ProcessCreationEvents
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine contains "/change"
and ProcessCommandLine contains " /TN "
and ProcessCommandLine contains " /RU "
and ProcessCommandLine contains " /RP "
and ProcessCommandLine !contains " /S "
and ProcessCommandLine !contains " /ST "
and ProcessCommandLine !contains " /SD "
and ProcessIntegrityLevel !in ("", "High", "System")

 

//Find possible use of SandboxEscape (Internet Explorer 11 exploit)
FileCreationEvents
| where FolderPath contains @".{0afaced1-e828-11d1-9187-b532f1e9575d}\"
and FileName endswith ".lnk"

 

//Find possible use of InstallerBypass (Windows Installer Service exploit) 
ProcessCreationEvents
| where FileName =~ "msiexec.exe"
| where ProcessCommandLine contains "/fa"
and ProcessCommandLine contains ":\\windows\\installer"

 

//Find possible use of ByeBear (CVE-2019-0841-Bypass 2) 
ProcessCreationEvents
| where ProcessCommandLine contains
@"packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
and ProcessCommandLine contains"/S /Q"
and (ProcessCommandLine contains "rmdir" or ProcessCommandLine contains "del")

References