Tag Archives: DeleteBug

Windows Data Sharing Service Zero Day Disclosed

In late October, a new Windows zero day vulnerability (defined) was publicly disclosed (defined) by the security researcher SandboxEscaper (the same researcher who disclosed the Task Scheduler zero day in early September. This vulnerability affects a Windows service; Data Sharing Service (dssvc.dll) present in Windows 10 and its Server equivalents 2016 and 2019. Windows 8.1 and Windows 7 (and their Server equivalents (Windows Server 2008 R2, Windows Server 2012 R2) are not affected.

How severe is this vulnerability and what is its impact?
Similar to the Task Scheduler vulnerability; this vulnerability is not remotely exploitable by an attacker (more on this below). This vulnerability should be considered medium but not critical severity. When exploited it can allow an attacker to delete any files they choose since they will inherit the same level of permission (privilege escalation)(defined) as the Data Sharing Service namely LocalSystem privileges (the highest level of privilege)(defined) but they cannot initiate this automatically/remotely. They must socially engineer a potential victim into opening an attachment (most likely sent over email or via instant messaging etc.).

As with the Task Scheduler vulnerability; this vulnerability may be leveraged in the wild before it is patched by Microsoft; this is my reason for advising exercising caution with email and clicking unexpected links.

While security researchers such as Will Dormann (mentioned above) and Kevin Beaumont were successful in verifying the proof of concept code worked; they class the vulnerability difficult to exploit. This was verified by Acros Security CEO Mitja Kolsek noting he could not find a “generic way to exploit this for arbitrary code execution.” Indeed, SandboxEscaper described the vulnerability as a low quality bug (making it a “pain” to exploit). Tom Parson’s from Tenable (the vendor of the Nessus vulnerability scanner) summed it up nicely stating “to put the threat into perspective, an attacker would already need access to the system or to combine it with a remote exploit to leverage the vulnerability”.

The vulnerability may allow the attacker to perform DLL hijacking (defined) by deleting key system DLLs (defined) and then replacing them with malicious versions (by writing those malicious files to a folder they have now have access to). Alternatively this functionality could be used to make a system unbootable by for example deleting the pci.sys driver. This has earned the vulnerability the name “Deletebug.”

How can I protect my organization/myself from this vulnerability?
As before with the Task Scheduler vulnerability; please continue to exercise standard vigilance in particular when using email; e.g. don’t click on suspicious links received within emails, social media, via chat applications etc. Don’t open attachments you weren’t expecting within an email (even if you know the person; since their email account or device they access their email from may have been compromised) and download updates for your software and devices from trusted sources e.g. the software/device vendors. This US-CERT advisory also provides advice for safely handling emails.

If you choose to; the firm 0patch has issued a micro-patch for this vulnerability. They developed the fix within 7 hours of the vulnerabilities disclosure. It blocks the exploit by adding impersonation to the DeleteFileW call. This was the same firm who micro-patched the recent Windows Task Scheduler vulnerability and JET vulnerabilities. Moreover; this vulnerability may be patched tomorrow when Microsoft releases their November 2018 updates.

As with the above mitigations; if you wish to deploy this micropatch please test how well it works in your environment thoroughly BEFORE deployment.

It can be obtained by installing and registering 0patch Agent from https://0patch.com Such micropatches usually install and need no further action when Microsoft officially patches the vulnerability since the micropatch is only active when a vulnerable version of the affected file is used; once patched the micropatch has no further effect (it is then unnecessary).

Thank you.