A disgruntled security researcher has made good on a threat.A security researcher going by the aliases Chaotic Eclipse and Nightmare-Eclipse published exploit code for a Windows privilege escalation vulnerability.The flaw, dubbed BlueHammer, has no official patch from Microsoft, making it a zero-day vulnerability.
“I was not bluffing Microsoft and I’m doing it again,” Chaotic Eclipse wrote in a post accompanying the release.“Unlike previous times, I’m not explaining how this works, yall geniuses can figure it out.Also, huge thanks to MSRC leadership for making this possible.” The MSRC is Microsoft’s Security Response Center, the team responsible for handling vulnerability reports.
BlueHammer is what experts call a local privilege escalation flaw.Meaning, if an attacker already has some access to a Windows computer, even just as a regular, low-privilege user, they can use this exploit to gain SYSTEM-level control.That’s the highest level of access on a Windows machine.
Will Dormann, principal vulnerability analyst at Tharros (formerly Analygence), confirmed to BleepingComputer that the exploit works.He described it as a combination of two technical issues: a TOCTOU (time-of-check to time-of-use) bug and a path confusion problem.“At that point, [the attackers] basically own the system, and can do things like spawn a SYSTEM-privileged shell,” Dormann told BleepingComputer.
Once attackers reach that level, they can access the Security Account Manager (SAM) database, which stores password hashes for local accounts.From there, full machine takeover is just a few steps away.Featured Partners Advertisement TechRepublic is able to offer our services for free because some vendors may pay us for web traffic or other sales opportunities.
Our mission is to help technology buyers make better purchasing decisions, so we provide you with information for all vendors — even those that don’t pay us.1 ManageEngine Log360 Visit Website Company Size Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Micro (0-49 Employees), Small (50-249 Employees), Medium (250-999 Employees), Large (1,000-4,999 Employees), Enterprise (5,000+ Employees) Micro, Small, Medium, Large, Enterprise Features Activity Monitoring, Blacklisting, Dashboard, and more Why is the researcher furious? The exact trigger for the public release remains unclear.But the researcher’s frustration with Microsoft is impossible to miss.
On April 3, Nightmare-Eclipse published the exploit on GitHub and wrote: “I’m just really wondering what was the math behind their decision, like you knew this was going to happen and you still did whatever you did ? Are they serious ?” Earlier, on March 26, the researcher using the alias “deadeclipse666” posted a threatening message on Blogspot: “I never wanted to reopen a blog and a new github account to drop code.But someone violated our agreement and left me homeless with nothing.They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.” The posts suggest a prior relationship with Microsoft, possibly a bug bounty arrangement that turned sour.
Will Dormann offered a possible explanation on Mastodon, as reported by Security Affairs, “SRC used to be quite excellent to work with.But to save money, Microsoft fired the skilled people, leaving flowchart followers.I wouldn’t be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that’s apparently an MSRC requirement now.” Submitting a video demonstration of a working exploit is reportedly a requirement for vulnerability reporters dealing with Microsoft.
Must-read security coverage UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case Blackpoint Cyber vs.Arctic Wolf: Which MDR Solution is Right for You? How GitHub Is Securing the Software Supply Chain 8 Best Enterprise Password Managers Microsoft responds Microsoft has not yet issued a patch or detailed advisory for BlueHammer, but provided a general statement: “Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible.We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community.” Also read: Microsoft’s emergency fix for critical Windows 11 RRAS vulnerabilities shows how quickly unpatched flaws can turn into urgent security problems.
Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.Delivered every Monday, Tuesday and Thursday Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.Delivered every Monday, Tuesday and Thursday
Read More
