A new zero-day exploit that affects all versions of Windows starting with Windows 2000 has been discovered by Trustwave’s SpiderLabs research team (via BGR). The researchers spotted that the exploit was being advertised on a Russian hacking forum last month, and the seller who goes under the nickname “BuggiCorp” is currently selling it for $95,000.
In this case, the zero day exploit is a Local Privilege Escalation (LPE) vulnerability in Windows. Trustwave shared the following technical details:
Although such an exploit can’t provide the initial infection vector like a Remote Code Execution (RCE) would, it is still a very much needed puzzle piece in the overall infection process. For instance, an LPE exploit paired with a client-side RCE exploit can allow an attacker to escape an application that implements sandbox protection (For example Google Chrome, Adobe Reader, etc…).
Moreover, an LPE exploit provides the means to persist on an infected machine, which is a crucial aspect when considering APTs (Advanced Persistent Threats). In general terms, this exploit can be leveraged in almost any kind of attack scenario.
Trustwave also notes that the hacker has “put in the effort to present himself/herself as a trustworthy seller with a valid offering”. Indeed, he has also posted two different videos of the exploit for potential buyers that you can find below:
Trustwave researchers have already notified Microsoft about the zero day offering but the company has yet to acknowledge the exploit. As this zero day works in tandem with other exploits there is no real need to worry yet, though the researchers who are used to work with Redmond on Windows security think that this commerce of security exploits could be worsening:
Further reading: Security, Windows, Windows 10
Finding a zero day listed in between these fairly common offerings is definitely an anomaly. It goes to show that zero days are coming out of the shadows and are fast becoming a commodity for the masses, a worrying trend indeed.