A cybersecurity researcher, operating under the moniker Chaotic Eclipse, has made public on GitHub the source code for a novel zero-day exploit targeting Windows operating systems. This drastic action stems from a protracted dispute between the specialist and Microsoft’s Security Response Center (MSRC).
On April 3rd, Chaotic Eclipse uploaded the code, dubbed BlueHammer, into the public domain without providing any accompanying technical documentation regarding its function. He justified this decision by expressing profound dissatisfaction with how MSRC management had addressed the vulnerability disclosure information he had initially supplied. It is widely believed that the researcher’s anger was fueled by the corporation’s insistence on requiring a video demonstration of the exploit in action as part of the official report.
The released exploit grants an attacker, who already possesses local access to a machine, the capability to elevate their privileges within the system to the highest SYSTEM level or gain elevated administrative rights. The functionality of this published code has been corroborated by Will Dormann, a principal security analyst at Tharros.
Dormann characterized the attack methodology as an intricate blend of a Time-of-Check to Time-of-Use (TOCTOU) vulnerability coupled with an issue related to improper handling of system paths. Consequently, an attacker achieves access to the Security Account Manager (SAM) database, the repository for local user password hashes. This outcome allows the execution of a command shell with supreme privileges, leading to a complete compromise of the endpoint.
Despite this, both the exploit’s creator and external testers have noted that the exploit exhibits instability. For instance, on Windows servers, it fails to secure full system rights, instead only prompting for administrative consent. Nevertheless, even though this vulnerability necessitates prior system penetration, threat actors could secure this initial foothold through social engineering tactics. Microsoft itself has yet to issue a security patch, only releasing a boilerplate statement emphasizing the significance of responsible, coordinated vulnerability disclosure.
About the Author
