An anonymous hacker going by the alias “SandboxEscaper” has published 3 Microsoft exploits in the last 24 hours. The bug hunter has published a total of 7 exploits in the last year.

On Wednesday 22 May, SandboxEscaper published details of a Windows 10 zero-day exploit that allows for local privilege escalation (LPE).  LPE vulnerabilities can be exploited by hackers to break into systems and also elevate their levels of access. This zero-day exploit resides in the Windows Task Scheduler and allows a low-privileged account to get admin access. While this exploit has only been proven to work on Windows 10 32 bit systems, cybersecurity researchers believe the method could be tweaked to work on all previous Windows versions.

The following day two more vulnerabilities were published:

Internet Explorer 11

This vulnerability allows a hacker to inject a DLL into a specified Internet Explorer 11 process, causing it to open a filepicker and a HTML page. The HTML page is running JavaScript and the exploit disabled the Filepicker’s Internet Protected mode. This means that the JavaScript can run malicious code.

Windows Error Reporting

This is a privilege elevation bug that affects Windows Error Reporting. It would allow an attacker to rewrite C:\Windows\System32\drivers\pci.sys with non-admin level access. This flaw is actually not a zero-day because it was fixed by Microsoft this month after it was reported to them.

Who Is SandboxEscaper?

SandboxEscaper is the Twitter handle of the anonymous hacker who finds and publishes Zero-day Microsoft exploits, usually accompanied by a proof of concept on GitHub. SandboxEscaper has received criticism in the past for publishing the exploits without first notifying Microsoft of their existence. The accepted protocol is for white hat hackers to first notify the company who built the software of the exploit and allow them a reasonable amount of time to respond and make a patch. Only after this patch has been released does the hacker release the details of the exploit.

The language in SandboxEscaper’s tweets gives a hint about the mindset of the hacker and a possible clue as to why she doesn’t notify Microsft. On August 27, 2018, SandboxEscaper tweeted:

Here is the alpc bug as 0day: [link] I don’t fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.

Similar sentiment also follows on SandoxEscaper’s blog. After publishing the recent vulnerabilities she said:

“There’s two more bugs on github.
*** this *** industry. I don’t plan to make a career in it anyway.
I hate all the people involved in this industry.

Everyone just thinks they know better. Everyone just loves pointing fingers.
Bunch of apes.

Bye”

And previously said:

Uploaded the remaining bugs.
I like burning bridges. I just hate this world.
ps: that last windows error reporting bug was apparently patched this month. Other 4 bugs on github are still 0days. have fun.

Credit for discovering and reporting the Windows Error Reporting LPE bug was given to Gal De Leon and Polar Bear. Microsoft them fixed this vulnerability. Interestingly, Polar Bear is also an alias used by SandboxEscaper, so it’s possible that she did report the issue before publishing it in this case.

As for her motivation to disclose the exploits, user Espeon in a comment on arstechnica.com said:

Yeah, she’s incredibly good at what she does, but iirc she stopped doing responsible disclosure after getting shafted on bounties a few times.

Not defending her – it’s incredibly irresponsible and burns bridges. It’s not without reason, though.

SandboxEscaper had publisher 4 previous Zero-day exploits before the 3 published within 24 hours. These were:

• LPE in Advanced Local Procedure Call (ALPC): The bug allows local users to obtain system privileges by exploiting a security flaw in Windows Task Scheduler.
• LPE in Microsoft Data Sharing (dssvc.dll): This flaw affects the dssvc.dll (Microsoft Data Sharing), which is a service that provides data brokering between applications. It would allow a hacker to have elevated access on a system they have access to.
• LPE in Readfile: This vulnerability allows low privileged users to read any file on the system.
• LPE in Windows Error Reporting (WER): This vulnerability affects the Windows OS ReadFile file by allowing malware to read any files.