Zero-Day Windows Data Sharing Facility Weakness Discovered

A Windows zero-day weakness has been discovered that lets hackers erase application dlls and cause a system to crash and possibly hijack systems. The weakness lets an attacker elevate rights and erase files that must only be accessible by management and takes benefit of a Windows facility that fails to verify approvals.

That facility, the Windows Data Sharing Facility – dssvc.dll, was launched in Windows 10, hence earlier Windows types are unaffected, even though the fault is also existing in Windows Server 2016 and Server 2019.

In order to abuse the Windows Data Sharing Service weakness, the attacker would already require access to the system, so for the fault to be distantly exploitable it would need to be merged with one more exploit. This would restrict the possibility for it to be used in an attack.

Although it’s possible to abuse the weakness to run commands on a system, the most likely use is disruption, because it permits files to be erased which would render applications or systems unworkable.

The Windows Data Sharing Facility weakness was detected by safety scientist SandboxEscaper. SandboxEscaper also recently issued a proof-of-concept for a zero-day weakness in Windows Task Scheduler, which was later adopted by a variety of threat actors and utilized in real-world attacks.

Although the fault is similar to the earlier discovered weakness, in the sense that it lets non-admins erase files as a consequence of a Windows facility failing to verify permissions, this weakness is much more difficult to abuse. SandboxEscaper clarified in an October 23 Tweet that it’s “a low-quality bug that is a pain to exploit.”

SandboxEscaper wrote, “Not the same bug I sent a while ago, this does not write garbage to files but really erases them… meaning you can erase application dll’s and hope they go look for them in user write-able places. Or erase stuff used by system services c:\windows\temp and hijack them.”

Mijja Kolsek, a co-founder of 0Patch, has verified the PoC works and 0Patch team has already issued a micropatch to rectify the “Deletebug” fault. The micropatch was developed within 7 hours of publication of the PoC. The repair will be automatically applied for users of the 0Patch Agent and is obtainable for others through 0Patch.com.

Microsoft is expected to deliver a solution to the fault.