Microsoft Defender 'RoguePlanet' Zero-Day Grants SYSTEM Privileges (bleepingcomputer.com)
- Reference: 0183742636
- News link: https://it.slashdot.org/story/26/06/10/2053232/microsoft-defender-rogueplanet-zero-day-grants-system-privileges
- Source link: https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/
> The researcher shared a proof-of-concept exploit on Tuesday afternoon in a self-hosted Git repository after saying that GitHub and GitLab repositories hosting their exploits had previously been removed by Microsoft. "The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others," Nightmare Eclipse wrote in the repository.
>
> [...] Cybersecurity firm ThreatLocker told BleepingComputer that they successfully reproduced the flaw in their testing and confirmed the exploit worked against fully patched Windows 11 systems with KB5094126 installed, and shared a video demonstrating it. "Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described. Organizations using application allowlisting can prevent the exploit from executing, providing an effective layer of protection against this attack," Danny Jenkins, CEO of ThreatLocker, told BleepingComputer.
>
> According to Nightmare Eclipse, RoguePlanet was originally developed as a remote code execution vulnerability that exploited Microsoft Defender's handling of files hosted on remote SMB shares. "In initial development, it was confirmed that this vulnerability was a remote code execution," the researcher explained in a [3]blog post . "It required an attacker to coerce a victim to open a .vhd(x) in a remote SMB server, succesful exploitation resulted in defender overwriting its own files and obviously the end outcome was an RCE."
>
> The researcher says another attack scenario could lead to remote code execution simply by coercing a victim into opening an SMB share if symlink evaluation settings were enabled. However, the researcher claims Microsoft silently hardened Defender in mid-May by patching "mpengine!SysIO*" API, which blocked junction attacks. "Rewriting RoguePlanet to make it functional again drained my soul and I couldn't complete the other scenarios and for now it remains unclear if RoguePlanet is limited to LPE or there is some sort of way to turn it into an RCE," the researcher wrote.
[1] https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/
[2] https://tech.slashdot.org/story/26/06/10/0337257/microsoft-smashes-record-for-biggest-ever-patch-tuesday-update
[3] https://deadeclipse666.blogspot.com/
Sounds obsessive. (Score:2)
> "Rewriting RoguePlanet to make it functional again drained my soul and I couldn't complete the other scenarios and for now it remains unclear if RoguePlanet is limited to LPE or there is some sort of way to turn it into an RCE," the researcher wrote.
Maybe try to get out more.
Re: (Score:2)
Apparently they're homeless because Microsoft didn't pay out so getting out more is probably the last thing on their mind since mission accomplished - they're outside already.
Re: (Score:2)
> Maybe try to get out more.
Read your .sig
I think I've had to reboot Win11 3 times this week (Score:1)
for updates. Microsoft must be loving the AI vulnerability scanning, lol.
What are the chances that... (Score:1)
these folks coming out of the woodwork to show us all of these new shiny vectors -- could it just be some insider spillin' 20 years worth of beans?
Hell Hath No Fury (Score:3)
like a bounty-seeker scorned.
Shoulda just paid 'em.
He sounds quite knowledgeable and it looks like he'll continue whipping Defender until morale improves.
It's worth noting that the black market would pay handsomely for most of his discoveries but retribution is sweeter than cash.
I get the sentiment.
Sure it's not Windows 95/98....? (Score:1)
The description reads like many a ntlm/cifs exploit.....