Microsoft Defender 'RoguePlanet' Zero-Day Grants SYSTEM Privileges (bleepingcomputer.com) 35
A researcher using the name Nightmare Eclipse has released a new Microsoft Defender zero-day exploit called "RoguePlanet," which reportedly works on fully patched Windows 10 and 11 systems and can spawn a command prompt with SYSTEM privileges through a Defender race condition. The release came just hours after Microsoft fixed two previously disclosed flaws during its latest monthly Patch Tuesday drop -- its largest Patch Tuesday release ever. BleepingComputer reports: The researcher shared a proof-of-concept exploit on Tuesday afternoon in a self-hosted Git repository after saying that GitHub and GitLab repositories hosting their exploits had previously been removed by Microsoft. "The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others," Nightmare Eclipse wrote in the repository.
[...] Cybersecurity firm ThreatLocker told BleepingComputer that they successfully reproduced the flaw in their testing and confirmed the exploit worked against fully patched Windows 11 systems with KB5094126 installed, and shared a video demonstrating it. "Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described. Organizations using application allowlisting can prevent the exploit from executing, providing an effective layer of protection against this attack," Danny Jenkins, CEO of ThreatLocker, told BleepingComputer.
According to Nightmare Eclipse, RoguePlanet was originally developed as a remote code execution vulnerability that exploited Microsoft Defender's handling of files hosted on remote SMB shares. "In initial development, it was confirmed that this vulnerability was a remote code execution," the researcher explained in a blog post. "It required an attacker to coerce a victim to open a .vhd(x) in a remote SMB server, succesful exploitation resulted in defender overwriting its own files and obviously the end outcome was an RCE."
The researcher says another attack scenario could lead to remote code execution simply by coercing a victim into opening an SMB share if symlink evaluation settings were enabled. However, the researcher claims Microsoft silently hardened Defender in mid-May by patching "mpengine!SysIO*" API, which blocked junction attacks. "Rewriting RoguePlanet to make it functional again drained my soul and I couldn't complete the other scenarios and for now it remains unclear if RoguePlanet is limited to LPE or there is some sort of way to turn it into an RCE," the researcher wrote.
[...] Cybersecurity firm ThreatLocker told BleepingComputer that they successfully reproduced the flaw in their testing and confirmed the exploit worked against fully patched Windows 11 systems with KB5094126 installed, and shared a video demonstrating it. "Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described. Organizations using application allowlisting can prevent the exploit from executing, providing an effective layer of protection against this attack," Danny Jenkins, CEO of ThreatLocker, told BleepingComputer.
According to Nightmare Eclipse, RoguePlanet was originally developed as a remote code execution vulnerability that exploited Microsoft Defender's handling of files hosted on remote SMB shares. "In initial development, it was confirmed that this vulnerability was a remote code execution," the researcher explained in a blog post. "It required an attacker to coerce a victim to open a .vhd(x) in a remote SMB server, succesful exploitation resulted in defender overwriting its own files and obviously the end outcome was an RCE."
The researcher says another attack scenario could lead to remote code execution simply by coercing a victim into opening an SMB share if symlink evaluation settings were enabled. However, the researcher claims Microsoft silently hardened Defender in mid-May by patching "mpengine!SysIO*" API, which blocked junction attacks. "Rewriting RoguePlanet to make it functional again drained my soul and I couldn't complete the other scenarios and for now it remains unclear if RoguePlanet is limited to LPE or there is some sort of way to turn it into an RCE," the researcher wrote.
Sure it's not Windows 95/98....? (Score:1)
The description reads like many a ntlm/cifs exploit.....
Sounds obsessive. (Score:2, Funny)
"Rewriting RoguePlanet to make it functional again drained my soul and I couldn't complete the other scenarios and for now it remains unclear if RoguePlanet is limited to LPE or there is some sort of way to turn it into an RCE," the researcher wrote.
Maybe try to get out more.
Re: (Score:2)
Apparently they're homeless because Microsoft didn't pay out so getting out more is probably the last thing on their mind since mission accomplished - they're outside already.
Re:Sounds obsessive. (Score:5, Funny)
Maybe try to get out more.
Read your .sig
Re: (Score:2)
I think I've had to reboot Win11 3 times this week (Score:2)
What are the chances that... (Score:1)
Re: (Score:2)
It's likely people using AI to find weakness.
Hell Hath No Fury (Score:5, Insightful)
like a bounty-seeker scorned.
Shoulda just paid 'em.
He sounds quite knowledgeable and it looks like he'll continue whipping Defender until morale improves.
It's worth noting that the black market would pay handsomely for most of his discoveries but retribution is sweeter than cash.
I get the sentiment.
Re: (Score:3)
Worst part, you can only screw a community so many times before they just decide not to play ball anymore.
At that point, its almost impossible to restore the status quo - which is likely bad for everyone using MS kit at that point.
Regression (Score:2, Troll)
Re: (Score:2)
Meeting middle-mangement scheduling goals looks good on your yearly performance review.
Gotta score that 4% raise!
DEFENDER turned into an attack vendor? (Score:2)
Re: (Score:2)
An newer version of me
Is she corrupted like me?
Would she go down on you in a presentation?
Does she sneak in quietly?
And would she have your system privilages?
I'm sure she'd make a really excellent doorstop.
Re: (Score:2)
And he's not gonna fade just because they close their eyes
And they know it
And every time they patch the fails
and refuse to pay him back, he hopes they feel it
Well, can you feel it?
Cuz he's here to remind you
Of the mess you made for the bugs unpaid
It's not fair to deny him
The cost that's fair for a bounty paid
You, you, you oughta know
These disclosures aren't the worst of it (Score:2, Interesting)
Now to turn my attention to the Subjec
Re: (Score:2)
MS has stacked tech debt on tech debt and never even tried to make a good product. I doubt they even have any real idea what a good product would look like. That they are crooks is just the icing on the cake.
As it is now, not only Windows is fundamentally broken and cannot be fixed. Their cloud got hacked several times. AD is always vulnerable in some way. They went "all in" on the crappy LLM-type AI. They are done for. They cannot really fix anything, their products just will get worse and worse until tota
Re: (Score:2)
"Iceberg! Right Ahead!"
Defender, you were the chosen one (Score:2)
Windows is crumbling (Score:2)
Stack tech-debt sky-high, build a house of cards, never really fix or simplify anything and that is what you get: A ruin that can only be torn down. That this is what they did is becoming more and more obvious at the moment. Windows very likely cannot be fixed anymore. Mindless greed does things like that.
Re: (Score:2)
Spin up a *nix and run M$ Apps in containers?
Re: (Score:2)
While they phone home? That does not help much for security. And it does nothing for all the other problems.
Re: (Score:2)
It can be fixed, they just won't do it. Microsoft has fought internally over various technologies for decades, between win32 and .Net and all the shit in-between. They never standardized like Apple did which left them entrenched in technical debt. They could, today, start a standardization process, build out a new and modern tech stack, advise their devs to migrate to that, then set a date with the cut off. Apple's success at this is a model for anyone to follow. They just won't due to internal fighting.
Eve
Re: (Score:2)
It can be fixed
That may well not be true. At a certain level of complexity, fixing anything means a redesign and reimplementation because anything else has exceeded the complexity that can be handled. That is the core reason why you want to keep technological debt as low as possible. Otherwise, at some point, you can just throw things away and start over. Microsoft has likely reached that point quite a while ago. Sure, if they could stop all development for, say, 10 years, and if they fire everybody responsible for the cu
Re: (Score:2)
I disagree. Apple went from OS9 to OSX, a completely new codebase by creating new frameworks for devs and a translation layer for old apps (Remember Cocoa, Rosetta, Carbon?). They then phased the old out while providing documentation and tools for devs to move. It's perfectly doable with very clear cases of it being done. Microsoft simply refuses to do it.
Apple's even done this while switching from PPC to Intel and then to ARM. There is no technological barrier here, it's all organizational and cultural at
Re: (Score:3)
OSX is based on FreeBSD. They did not do a reimplementation, they just added the easy parts. And basing things on FreeBSD is also the thing that allows Apple to switch CPU architecture. Because they get that almost for free. And that is why they could do it so fast. Sure, theoretically MS could do the same, but they are not organizationally capable of even thinking that they may have screwed up enough to make that step the only way out.
Also refer to countless large-scale software projects that have failed o
Re: (Score:2)
OSX is based on FreeBSD. They did not do a reimplementation, they just added the easy parts. And basing things on FreeBSD is also the thing that allows Apple to switch CPU architecture. Because they get that almost for free. And that is why they could do it so fast. Sure, theoretically MS could do the same, but they are not organizationally capable of even thinking that they may have screwed up enough to make that step the only way out.
Also refer to countless large-scale software projects that have failed or are in a bad state but cannot be fixed.
Why are you arguing? Your post just proved my whole point. Also it's not based on FreeBSD, it utilized the FreeBSD user space while doing their own kernel, Darwin. You keep stating "can't be fixed" as if it's some fact, while simultaneously acknowledging others have, in fact, fixed these issues in the past. Let it go.
Re: (Score:2)
You are arguing from faulty data. And, apparently, you have no real clue about software project complexity, cost and time needed.
Re: (Score:3)
WinRT, along with the mandate that all applications be UWP, was meant to be the foundation of that. Once migrated, the legacy plumbing could have been ripped out from underneath, but doing so took away the entire point of using Windows in the first place, and so consumers rejected it. Forcing it any further would have resulted in a mass exodus to anything that isn't completely crippled in terms of applicat
Re: (Score:2)
Well, their tech-debt is killing them now, just slowly. The most imminent threat is that the EU finds out how much better the alternatives really are and then the floodgates may open. High revenue (which MS has, minus the LLM insanity or the failing xbox) is no assurance of longer-term survival, even if business grads are apparently not taught that fact.
security tool (Score:1)
Without arguing pros/cons (Score:1)
If Ukraine did nothing they would have been taken over, another nation would likely have been threatened, and we would likely be debating drones being used by THAT nation to kill Russians by now.
Re: (Score:1)
wrong topic , sorry.