From the BlueHammer author: New Windows zero-day grants admin rights
The exploit uses an insecure behavior of Windows Defender and a file API to secure system rights. It is still unpatched.
(Image: heise online)
A week after the publication of the “BlueHammer” exploit, its author has followed up: “RedSun” grants attackers admin rights on current Windows systems. The exploit uses the “Cloud File API” and a suspected error in Windows Defender, overwrites a system file, and thus increases its privileges.
The author writes that Windows Defender rewrites files that have a “cloud tag” and uses the original path of the file to do so. Security researcher Will Dormann elaborates on the author's brief explanation on Mastodon, stating that the exploit writes a file using the “Cloud Files API,” then wins a race condition with shadow copies, and can thus place an executable file in the Windows system directory. Using this, it increases its privileges to SYSTEM. Dormann: “Game over.”
Videos by heise
Vulnerability still unpatched
The vulnerability named “RedSun” is not yet patched in current Windows versions, as Dormann discovered. He successfully tested the exploit on Windows 10 and 11. The editors of heise security were also able to confirm on a freshly patched test system: The exploit works.
(Image:Â GitHub: Nightmare-Eclipse)
On April 7th, an anonymous security researcher published the BlueHammer exploit out of frustration with the process in the MSRC (Microsoft Security Response Center).
(cku)
