GoKawiilExploit code has been released for an unpatched Windows privilege escalation flaw reported privately to Microsoft, allowing attackers to gain SYSTEM or elevated administrator permissions.
Dubbed BlueHammer, the vulnerability was published by a security researcher discontent with how Microsoft’s Security Response Center (MSRC) handled the disclosure process.
Since, the security issue has no official patch and there is no update to address it, the flaw is considered a zero-day by Microsoft's definition.
It is unclear what triggered the public release of the exploit code. In a short post under the alias Chaotic Eclipse, the researcher says "I was not bluffing Microsoft, and I'm doing it again."
“Unlike previous times, I'm not explaining how this works; y'all geniuses can figure it out. Also, huge thanks to MSRC leadership for making this possible,” the researcher added.
On April 3rd, Chaotic Eclipse published a GitHub repository for the BlueHammer vulnerability exploit under the alias Nightmare-Eclipse, expressing disbelief and frustration at how Microsoft decided to address the security issue.
"I'm just really wondering what was the math behind their decision, like you knew this was going to happen and you still did whatever you did ? Are they serious ?"
The researcher also noted that the proof-of-concept (PoC) code contains bugs that may prevent it from working reliably.
Will Dormann, principal vulnerability analyst at Tharros (formerly Analygence), confirmed to BleepingComputer that the BlueHammer exploit works, saying that the flaw is a local privilege escalation (LPE) that combines a TOCTOU (time-of-check to time-of-use) and a path confusion.
He explained that the issue is not easy to exploit and that it gives a local attacker access to the Security Account Manager (SAM) database, which contains password hashes for local accounts.
... continue reading