Demo exploit code and details are now available about a new zero-day vulnerability in Windows 10 that allows elevating the privileges of a normal user to those of an administrator. An attacker can use it to install programs, view, change or delete data.

The flaw is the second bypass of protections delivered by Microsoft against a local privilege escalation (LPE) bug tracked as CVE-2019-0841 and patched in April.

CVE-2019-0841 can be exploited in the context of a normal user to gain full control of a protected file. The rights obtained are those of an administrator and SYSTEM.

Demoed with Edge, works with other targets

Exploit developer SandboxEscaper published the details for the new LPE zero-day today, saying that it can be triggered from a normal user account by deleting files and folders allowed under its limited privileges, available in the following location for Edge browser:

c:\\users\\%username%\\appdata\\local\\packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\

Launching Edge will end with a crash of the application but doing it again causes it to write the discretionary access control list (DACL) and impersonate the SYSTEM account.

SandboxEscaper explains that Edge should be launched from the taskbar or the desktop shortcut, otherwise there's an incorrect impersonation.

She notes that her exploit code uses Edge only to demonstrate the vulnerability but other packages can trigger the bug, too.

So you can definitely figure out a way to trigger this bug silently without having edge pop up. Or you could probably minimize edge as soon as it launches and close it as soon as the bug completes. I think it will also trigger by just launching edge once, but sometimes you may have to wait a little.

She also says that it took her about two hours to write the proof-of-concept exploit code after finding the vulnerability.

The researcher also makes available a video that demonstrates her findings:

The new zero-day has been confirmed by Will Dormann, vulnerability analyst at CERT/CC, who tested it on Windows 10 versions 1809 and 1903 running the latest security updates from Microsoft.

He also confirmed that the target can be changed to ann attacker's choice.

By default, the public exploit grants full control of c:\windows\win.ini to the current user as an example. But the target file can easily be changed to anything that the attacker wants.

Something tells me this isn't the last of this sort of bug that we're going to see... pic.twitter.com/ybNScbQuXY — Will Dormann (@wdormann) June 7, 2019

The original privilege escalation bug is tracked as CVE-2019-0841 and was discovered and reported to Microsoft by multiple security researchers.

Nabeel Ahmed of Dimension Data was one of them and soon after a patch became available he released technical details and demo exploit code.

SandboxEscaper released a first bypass for CVE-2019-0841 on May 23, along with a sandbox escape present in Internet Explorer 11. This latest bypass is the fourth zero-day in a string of nine released since late August 2018:

And she's not done. A post on her blog says that there is one more zero day to come: