"BlueHammer": Zero-Day vulnerability in Windows grants elevated privileges

A zero-day vulnerability in Windows grants attackers elevated privileges within the system. The discoverer has given it the nickname "BlueHammer". The anonymous alleged discoverer has published a link to a GitHub repository with the handle "Nightmare Eclipse" on a blog set up specifically for this purpose, which contains the source code for the "BlueHammer" exploit as a proof-of-concept. The developer does not want to explain how the exploit works: "yall geniuses can figure it out."

Renowned IT security researcher Will Dormann confirms on Mastodon that the exploit works. While not one hundred percent reliable, it is good enough. Dormann suspects frustration with the Microsoft Security Response Center (MSRC) behind the circumstances of the publication. Previously, excellent cooperation was possible with the MSRC. "But to save money Microsoft fired the skilled people, leaving flowchart followers." He would not be surprised if Microsoft closed the reporter's case because they did not submit a video of the exploit, which is apparently now a requirement of the MSRC.

Vulnerability likely due to Windows Defender updates

The exploit appears to target the Windows Defender update process. In the further program flow, the code then sets a new password and apparently grants privileges to the user by accessing the Security Account Manager (SAM) database. In the screenshot that Will Dormann provides as proof of the exploit's functionality, a "Windows Security" window with a scan by Windows Defender is also visible, which also points to Windows Defender as the entry point. Dormann confirms this to BleepingComputer and explains that the exploit abuses a "Time-of-Check Time-of-Use" (TOCTOU) vulnerability and file path manipulations.

The exploit grants system privileges on Windows 11. On Windows Server, other commentators have had less success, but Dormann also shows that attackers can still gain administrator privileges there. The author of the PoC also admits on GitHub that the code has some bugs, which could prevent it from working, and which they might correct later.

Microsoft currently has no update in the pipeline to fix the vulnerability. A CVE vulnerability entry has also not yet been made. A Microsoft spokesperson told BleepingComputer on Tuesday this week that the company is committed to investigating vulnerability reports and updating affected devices to protect customers as quickly as possible. Furthermore, Microsoft supports coordinated vulnerability disclosure, which ultimately helps customers and IT security researchers.

On the March Patchday, Microsoft had already closed two "Zero Day" vulnerabilities. It is unclear whether the developers will address the security vulnerability by the next Patchday.

(dmk)