Zero-Day Windows Flaw Allowing Sandbox Escape Being Actively Exploited in the Wild

Google Project Zero has disclosed a high severity Windows vulnerability that has yet to be patched by Microsoft after the flaw was observed being exploited in the wild by hackers.

The Windows driver bug, which allows local privilege escalation and sandbox escape, was announced just 7 days after it was reported. While the Google Project Zero team usually waits until a patch has been made available before disclosing a vulnerability, the announcement was made early due to the zero-day bug being exploited in the wild. The decision to go public with the vulnerability was made as it would help with the detection of attacks exploiting the vulnerability, and would make it harder for those attacks to go undetected since network defenders would know what to look for.

The vulnerability, tracked as CVE-2020-17087, is due to how the Windows Kernel Cryptography Driver (cng.sys) processes input/output control (IOCTL).

“[Cng.sys] exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,” according to the Google Project Zero team. “We have identified a vulnerability in the processing of IOCTL 0x390400, reachable through [a] series of calls.”

Google Project Zero says the vulnerability is a 16-bit integer truncation issue. “The integer overflow occurs in line 2, and if SourceLength is equal to or greater than 0x2AAB, an inadequately small buffer is allocated from the NonPagedPool in line 3. It is subsequently overflown by the binary-to-hex conversion loop in lines 5-10 by a multiple of 65536 bytes.”

The flaw can be exploited by sending specially crafted requests to trigger a pool-based buffer overflow, which causes a system crash allowing exploitation. The researchers created a proof-of-concept exploit for the flaw which showed the vulnerability could be easily exploited in an attack on an up-to-date Windows 10 1903 (64-bit) build, although the researchers note that the vulnerability affects all prior versions of Windows back to Windows 7.

To date, attacks exploiting the flaw have been highly targeted and there is no indication that the flaw has been exploited in any attacks related to the U.S. presidential elections.

With just a week to go until November 2020 Patch Tuesday, Microsoft is not expected to release an out-of-bad patch to correct the flaw. A patch is expected to be released next Tuesday.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of