Zero-Day Windows Data Sharing Service Vulnerability Discovered

A Windows zero-day vulnerability has been discovered that allows hackers to delete application dlls and cause a system to crash and potentially hijack systems. The vulnerability allows an attacker to elevate privileges and delete files that should only be accessible by admins and takes advantage of a Windows service that fails to check permissions.

That service, the Windows Data Sharing Service – dssvc.dll, was introduced in Windows 10, so previous Windows versions are unaffected, although the flaw is also present in Windows Server 2016 and Server 2019.

In order to exploit the Windows Data Sharing Service vulnerability, the attacker would already need access to the system, so for the flaw to be remotely exploitable it would need to be combined with another exploit. This would limit the potential for it to be used in an attack.

While it is possible to exploit the vulnerability to run commands on a system, the most probable use is sabotage, as it allows files to be deleted which would render applications or systems inoperable.

The Windows Data Sharing Service vulnerability was discovered by security researcher SandboxEscaper. SandboxEscaper also recently published a proof-of-concept for a zero-day vulnerability in Windows Task Scheduler, which was subsequently adopted by a range of threat actors and used in real world attacks.

While the flaw is similar to the previously discovered vulnerability, in the sense that it allows non-admins to delete files as a result of a Windows service failing to check permissions, this vulnerability is much more difficult to exploit. SandboxEscaper explained in an October 23 Tweet that its “a low quality bug that is a pain to exploit.”

SandboxEscaper wrote, “Not the same bug I posted a while back, this doesn’t write garbage to files but actually deletes them.. meaning you can delete application dll’s and hope they go look for them in user write-able locations. Or delete stuff used by system services c:\windows\temp and hijack them.”

Mijja Kolsek, co-founder of 0Patch, has confirmed the PoC works and 0Patch team has already released a micropatch to correct the “Deletebug” flaw. The micropatch was developed within 7 hours of publication of the PoC. The patch will be automatically applied for users of the 0Patch Agent and is available for others through 0Patch.com.

Microsoft is expected to issue a fix for the flaw on November Patch Tuesday.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news