In Windows 10 vulnerability helps you to write something to system folders

The virtualization tools present in some versions of Windows 10 allow the writing to system32 of arbitrary files. The specialist who found the topic released information about it straight away, bypassing contact with Microsoft.

No privileges
A technology researcher has freely revealed a zero-day flaw in Microsoft Windows 10 that affects virtualization software. The weakness is incredibly easy to manipulate. Attackers can write arbitrary files to operating system secure directories (for instance, system32).

Reverse engineer Jonas Lykkegaard discovered that an unprivileged user might initiate an attack, if Hyper-V, a virtual machine development solution, is enabled on the device. This dramatically reduces the surface of the attack: Hyper-V is available only on Windows 10

Pro, Business and Education. Windows 10 Home models aren’t available. Wherever it is it is limited by need.
Although Hyper-V enables large virtual worlds to be developed, it also switches on when a user installs Windows Sandbox, an enclosed environment in which it is secure-technically-to access potentially malicious pages or run questionable applications without putting the operating system in danger. The whole lot.

Windows Sandbox was introduced in the upgrade to Windows May 10, 1903. Hyper-V is automatically turned on when Sandbox is triggered.

Windows 10 Virtualization Tools allow you to write arbitrary files to system32 without using administrator rights, Lukkegaard was able to create an arbitrary file in the system32 root folder with a.dll extension. Typically this is not possible: Windows 10 would not allow ordinary users to make any modifications to this section. However, when Hyper-V is involved this constraint doesn’t work.

Consequently, a malicious file inserted in the device folder in this manner would then be released with elevated rights.

The assault would of course require physical access to the Hyper-V running machine.

According to Lukkegaard, the source of the problem is a bug in the Hyper-V server component storvsp.sys.

Without waiting for problems
Lukkegaard decided to immediately publish information about the “bug”, citing two reasons. The first is that there are other vulnerabilities in Windows 10 that are more serious and require urgent fixing; the second is Microsoft’s recent decision to cut payments for detection of privilege escalation vulnerabilities by 10 times (from $ 20,000 to $ 2,000).

“I always advised Microsoft of my findings before and waited for them to address the issue, but with the recent improvements in payment rate, I determined that the game was not worth the flame,” Lukkegaard told Bleeping Machine.

However, he added that he is able to continue to advise Microsoft about the problems found but on one condition. The company will have to make him a choice: either he gets a small (although reduced) remuneration, or Microsoft is making bigger contributions to educational programs for poor families children.

“In ethical terms, releasing information about a flaw without notifying the developer seems like a very contentious move,” says Dmitry Zalmanov, an SEC Consult Services information security specialist. — As it can be understood: only sympathy and/or the concern of security professionals (including commercial) governs such a procedure. If their contributions are offset by, to put it lightly, a small sum, it is not shocking, so in the final analysis there are more problems about vendors and their approach towards technology expertise and cybersecurity itself.

“Microsoft is committed to addressing identified security problems for users, and we will soon be delivering patches for affected devices. We advise technology specialists to organize attempts to divulge bugs and minimize future threats for consumers, “a spokesperson for Microsoft