$90,000 zero-day exploit for sale: It could potentially impact all Windows OS versions

A zero-day being sold on the Russian cybercriminal underground “could affect almost all Windows machines on the planet” -- from Windows 2000 up to Windows 10 -- meaning it could potentially impact “over 1.5 billion Windows users.”


On the Russian underground forum exploit.in, seller “BuggiCorp” has a zero-day for sale that purportedly works against all versions of Windows. The price tag is $90,000.

In the words of the email alerting me to this zero-day, this vulnerability “could affect almost all Windows machines on the planet.” If the local privilege escalation (LPE) vulnerability truly does exit in all versions of Microsoft Windows, from Windows 2000 up to Windows 10, then it could potentially impact “over 1.5 billion Windows users.”

According to SpiderLabs security researchers at Trustwave, who found the post on a cybercriminal underground forum, “It seems the seller has put in the effort to present himself/herself as a trustworthy seller with a valid offering. One of the main indicators for this is the fact that the seller insists on conducting the deal using the forum's admin as the escrow.”

Put another way, the forum’s admin would hold onto the money until the buyer is satisfied the zero-day works as advertised before paying the seller – and then keep a percentage cut for brokering the transaction.

Brian Krebs noted that the escrow service acts like a “sort of proxy for reputation” – think eBay feedback scores, but for cyber thugs. Krebs added, “If a member states up front that he’ll only work through a crime forum’s escrow service, that member’s cybercriminal pitches are far more likely to be taken seriously by others on the forum.”

If the LPE is exploited, then an attacker can escalate any Windows user level account to an administrator account. “Although such an exploit can't provide the initial infection vector like a Remote Code Execution would, it is still a very much needed puzzle piece in the overall infection process,” SpiderLabs researchers wrote.

“This type of flaw is always going to be used in tandem with another vulnerability to successfully deliver and run the attacker’s malicious code,” Krebs pointed out. “Chain that remote exploit with a local privilege escalation bug that can bump up the target’s account privileges to that of an admin, and your remote exploit can work its magic without hindrance.”

While there is no way to tell if the zero-day is authentic without purchasing it or waiting for it to show up in the wild, the researchers said the LPE exploit does provide “the means to persist on an infected machine, which is a crucial aspect when considering APTs (Advanced Persistent Threats).”

SpiderLabs Research said the original $95,000 asking price was lowered to $90,000 on May 23. The seller added that the exploit would be “sold exclusively to a single buyer” and included two proof videos. “The first video shows a fully updated Windows 10 machine being exploited successfully, by elevating the CMD EXE process to the SYSTEM account. It is interesting to note that the video was actually recorded on ‘Patch Tuesday’ and the author made sure the latest updates were installed.”

The second video may be more disturbing; it shows the exploit working against a Windows box running Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) and successfully bypassing EMET protection.

As was pointed out on Krebs on Security, Microsoft does “heavily restrict” which vulnerabilities qualify for a bug bounty, but the reward for a vulnerability which can fully bypass EMET is $100,000. That's $10,000 more than BuggiCorp is asking for his zero-day.

Trustwave SpiderLabs included a translation of the Russian post. The seller described the LPE as:

Exploit for local privilege escalation (LPE) for a 0day vulnerability in win32k.sys. The vulnerability exists in the incorrect handling of window objects, which have certain properties, and [the vulnerability] exists in all OS [versions], starting from Windows 2000. [The] exploit is implemented for all OS architectures (x86 and x64), starting from Windows XP, including Windows Server versions, and up to current variants of Windows 10. The vulnerability is of ‘write-what-where’ type, and as such allows one to write a certain value to any address [in memory], which is sufficient for a full exploit.

The “EXE file size is between 7KB to 12KB depending on OS architecture. The exploit was tested on all versions of Windows, starting from XP, and on at least 20 different variants of Windows OS, including Windows Server versions.”

The exploit comes in two flavors; one is a simple escalation of privilege and the other variant escalates privilege and has the ability to execute code.

The zero-day “stood out” from the other offerings on the Russian underground cybercriminal forum which allows buyers to lease an exploit kit, rent a botnet, hire malware coders or buy web shells for compromised websites. “However, finding a zero day listed in between these fairly common offerings is definitely an anomaly,” SpiderLabs Research said. “It goes to show that zero days are coming out of the shadows and are fast becoming a commodity for the masses, a worrying trend indeed.”

New! Download the State of Cybercrime 2017 report