Back-engineering researcher found a new zero-day vulnerability in most versions of Windows 10. If exploited successfully, an attacker can create files in protected areas of the OS.
The identified gap can be used by the attacker to develop the attack, but it should be noted that it will only work on computers with Hyper-V.
Of course, the need to activate Hyper-V significantly limits the number of vulnerable machines, since the default feature is disabled in Windows 10 Pro, Enterprise and Education.
To demonstrate vulnerability exploitation Luckgard created an empty file named phoneinfo.dll in “system32” folder. In normal situation any unprivileged user would need administrator’s permission to perform such actions. Vulnerability removes the need to get high permissions in system.
Since file creator is also the owner of the file in this case, attacker may place malicious code there which will be already executed with high rights.
According to Will Dorman, the problem lies in the storvsp.sys (Storage VSP – Virtualization Service Provider) driver, which is a Hyper-V component on the server side.
Luckgard also created a branch on Twitter where he talks about identified vulnerabilities. The expert complained that Microsoft does not pay well enough for the detected vulnerabilities, so there is no point in reporting them directly to the technogiant.