A security researcher has disclosed exploit code for a fourth zero-day vulnerability in Windows operating system in just as many months. The bug enables overwriting a target file with arbitrary data.

Running the proof-of-concept (PoC) code provided by the researcher that uses the online alias SandboxEscaper results in overwriting 'pci.sys' with information about software and hardware problems, collected through the Windows Error Reporting (WER) event-based feedback infrastructure.

PoC effect is not guaranteed

The researcher warns that the exploit she wrote works with some limitations and may not have the expected effect on some CPUs. For instance, she could not reproduce the bug on a machine with one CPU core.

The bug could also take a while to produce an effect, says SandboxEscaper, on account that it relies on a race condition and other operations may break the outcome.

This is confirmed by Will Dormann, a vulnerability analyst at CERT/CC, who was able to reproduce the bug Windows 10 Home, build 17134. He also added that the overwrite does not occur consistently.

This latest 0day from SandboxEscaper requires a lot of patience to reproduce. And beyond that, it only *sometimes* overwrites the target file with data influenced by the attacker. Usually it's unrelated WER data.https://t.co/FnqMRpLy77 pic.twitter.com/jAk5hbr46a — Will Dormann (@wdormann) December 29, 2018

Mitja Kolsek, CEO of Acros Security, commented that 100% reliability wouldn't matter if the attacker had a way to verify the success of the exploit.

I haven't tried it out yet but if it's a local privilege escalation and you can check if exploit succeeded, I suppose it doesn't matter if it only works once in a hundred tries. — Mitja Kolsek (@mkolsek) December 30, 2018

Since the target is 'pci.sys,' SandboxEscaper's PoC can cause a denial-of-service on the machine, from a user that does not have administrative privileges. 'Pci.sys' a system component necessary for correctly booting the operating system, since it enumerates physical device objects.

It could be used with other files, though. "There's nothing special about pci.sys. It was just used as an example of a file that shouldn't be able to be overwritten," Dormann told BleepingComputer.

"You can also use it to perhaps disable third-party AV software," SandboxEscaper speculates when describing the exploit.

Researcher rushed out the PoC, but emailed Microsoft first

SandboxEscaper announced on December 25 that on New Year she would release publicly the PoC for a new bug in Windows, but changed her mind two days later and published the details.

She tweeted that she informed Microsoft Security Response Center (MSRC) about the bug "to give them a headstart." BleepingComputer reached out to MSRC for confirmation but haven't received a reply by publishing time.

This exploit is the second one SandboxEscaper released publicly this month for a zero-day bug in Windows. On December 19 she published code that enables reading protected files.

In late August she published an exploit that increases privileges to SYSTEM on Windows via a vulnerability in the Task Scheduler component. Two months later, towards the end of October she dropped a PoC for another privilege escalation bug that allows deleting without permission any file.