A zero-day exploit for a Local Privilege Escalation (LPE) vulnerability in Windows has gone up for public sale on the Dark Web, with the seller asking $85,000.

According to Trustwave, while the most coveted zero day would be a Remote Code Execution (RCE) exploit, LPE vulnerabilities are likely next in line in popularity because they’re key to the infection process.

For instance, an LPE exploit paired with a client-side RCE exploit can allow an attacker to escape an application that implements sandbox protection, like Google Chrome or Adobe Reader—and it provides persistence on infected machines for APTs.

The way this sought-after piece of code is being marketed is interesting. The development of zero days has become a bigger and bigger piece of the cyber-criminal underground economy. However, usually zero-day transactions are private (you have to “know people”). This latest exploit is offered as one of many wares up for sale in a Russian underground market, alongside exploit kit leases, web shells for compromised websites and botnet rentals.

“Finding a zero day listed in between these fairly common offerings is definitely an anomaly,” Trustwave SpiderLabs researchers said, in a blog. “It goes to show that zero days are coming out of the shadows and are fast becoming a commodity for the masses, a worrying trend indeed.”

That’s a price-cut from its original $90,000 price tag, indicating that the seller may be having problems finding a buyer. The pricing seems in line with the market however. In one analysis of the zero-day market and prices, it was shown that a person named Eugene Ching was paid a total of $80,000 for a working zero day. The payment was divided to a contract fee and a bonus for the specific delivery. Meanwhile, zero-day vendor Zerodium will pay anywhere from $5,000 to a half-million dollars for one, depending on the nature of the zero day.

In this case, the buyer will receive the source code project based on MSVC2005, with all the source code of the exploit and a demo for the exploit; free of charge updates to address any Windows version that the exploit might not work on (i.e., Windows 10); a detailed write up of the vulnerability details (including the specific vulnerable code in win2k); complementary consultation on integrating the exploit according to the user’s needs (within reason); and on request, the seller will convert the source code project to a different MSVC version.

“The exploit will be sold exclusively to a single buyer,” Trustwave noted. “Additionally, the seller provides two proof videos for any potential buyers that might be concerned with the validity of the offer. The first video shows a fully updated Windows 10 machine being exploited successfully, by elevating the CMD EXE process to the SYSTEM account. It is interesting to note that the video was actually recorded on Patch Tuesday and the author made sure the latest updates were installed. The second video shows the exploit successfully bypassing all of EMET protections for the latest version of the product.”

All in all it looks valid—though of course there’s no way of telling for sure without buying the zero-day or waiting for it to appear in the wild. What’s certain is that the development represents a new page in how the criminal economy works—one well worth watching.

Photo © Lisa Alisa