Windows 10 Sandbox has a Vulnerability inside

A researcher discovered a new zero-day vulnerability in most Windows 10 editions, which allows creating files in restricted areas of the operating system.

Exploiting the flaw is trivial and attackers can use it to further their attack after initial infection of the target host, albeit it works only on machines with Hyper-V feature enabled.

An unprivileged user can create an arbitrary file in ‘system32,’ a restricted folder holding vital files for Windows operating system and installed software.

However, this works only if Hyper-V is already active, something that limits the range of targets since the option is disabled by default and is present in Windows 10 Pro, Enterprise, and Education.

Hyper-V is Microsoft’s solution to creating virtual machines (VM) on Windows 10. Depending on the physical resources available on the host, it can run at least three virtual instances.

Given sufficient hardware resources, Hyper-V can run large VMs with 32 processors and 512GB of RAM. An average user user may not have a use for such a virtual machine but they may run Windows Sandbox, an isolated environment for executing programs or loading websites that are not trusted, without risking to infect the normal Windows operating system.

Microsoft introduced Windows Sandbox with the May 2019 Update, in Windows 10 version 1903. Turning on this feature automatically enables Hyper-V.

To demonstrate the vulnerability researchers created in \system32 an empty file named phoneinfo.dll. Making any changes in this location requires elevated privileges but these restrictions are irrelevant when Hyper-V is active.

The creator of the file is also the owner, an attacker can use this to place malicious code inside that would be execute with elevated privileges when needed.

CERT/CC vulnerability analyst Will Dormann confirmed that the vulnerability exists and that exploiting it requires literally no effort from an attacker on the host.

Although this vulnerability is easy to exploit there are more dangerous issues in Windows 10 that Microsoft should address. This is one reason he decided to make it public and not report it through Microsoft’s bug bounty program.

Windows 10 unfaced with bug in built-in security feature

Microsoft says it is working on a fix for an error that prevents Windows Sandbox and Windows Defender Application Guard from opening.

The issue affects Windows 10 versions 1903, 1909, and 2004. When failing to open, the bug triggers the error message ‘ERROR_VSMB_SAVED_STATE_FILE_NOT_FOUND (0xC0370400)’ or ‘E_PATHNOTFOUND (0x80070003)’.

Windows Sandbox is a relatively new feature of Windows 10 Pro and Enterprise editions since version 1903 that lets users launch a virtual machine with a basic version of Windows 10 to run potentially suspicious software without the risk of it affecting the main Windows 10 installation.

The feature has proved popular with IT pros because of its ability to safely run potentially risky executables in a container, and Microsoft included several improvements to Windows Sandbox in Windows 10 version 2004.

Windows Defender Application Guard (WDAG) is also a relative newcomer in Windows 10 Pro and Enterprise editions that admins can use to create a list of trusted websites and local resources.

WDAG comes into play when users access a URL outside that list. It launches Microsoft Edge in a Hyper-V container to keep the browser isolated from the operating system. Microsoft released WDAG extensions for Chrome and Firefox last year.

“To mitigate this issue after receiving one of the above error messages, you will need to restart your device,”.Microsoft plans on addressing the bug in an upcoming release of Windows 10

A similar issue affected Windows Sandbox on Windows 10 Insider previews last year after users installed the KB4497936 update.