Recent Zero-Day Vulnerabilities disclosed on Twitter

By Stuart Nevans Locke:

 
Within the last few weeks, two Zero-Day exploits were disclosed on Twitter. Typically, exploits are reported to the company with a vulnerable product, researchers wait until the company fixes the vulnerability, and after patches are released for the exploit the vulnerability is made public. Companies that run bug bounty programs often pay researchers for finding vulnerabilities, however those companies almost always pay researchers less than they could get if they sold those vulnerabilities on the black market. Some bug bounty programs can also have extremely limited scope or are reluctant to reward researchers with bounties. As a result, companies such as Zerodium have formed which operate in the gray area of buying and selling exploits. For example, last year Zerodium offered to pay up to $250,000 to researchers who found a remote code execution vulnerability that resulted in root access, while the bug bounty program run by Tor would pay a maximum of $4,000.zerodium_prices

On September 10, Zerodium released a tweet saying that a the NoScript plugin of Tor Browser version 7.x could be trivially bypassed. The NoScript plugin is made for Firefox and bundled into Tor Browser. Its primary purpose is to prevent javascript from running in your browser. While a vulnerability that bypasses NoScript would not be enough to de-anonymize users of the Tor Browser, it could be a useful step in running javascript based exploits to do so. What makes this case of irresponsible disclosure so interesting is that Zerodium is in the business of buying and selling vulnerabilities, not giving them away on Twitter for no reason. This has caused speculation about why they released the vulnerability and theories range from it being a PR move to them having more severe exploits in other versions of Tor.

Just a few days earlier, on August 27, a Twitter user going by the handle @SandboxEscaper posted a tweet containing a Local Privilege Escalation Exploit that worked on fully updated windows machines. Both the source code and a Proof of Concept (PoC) were published by the researcher. In the tweet, SandboxEscaper complained about how unpleasant dealing with Microsoft had been for them in the past. Very quickly after SandboxEscaper released this exploit, malware in the wild began to use the exploit.

The most worrisome thing about these two vulnerabilities is how they were both disclosed in such irresponsible manners, allowing them to be exploited in the wild before NoScript and Microsoft had time to put out patches. One of the important things that cybersecurity researchers emphasize is the process of responsible disclosure, and it’s extremely worrisome to see this completely ignored by multiple sources.

Some Sources:
https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/ (Summary of Zerodium’s disclosure)
https://www.theregister.co.uk/2018/08/28/windows_zero_day_lpe/ (Summary of SandboxEscaper’s disclosure)
https://hackerone.com/torproject (Tor bug bounty)
https://zerodium.com/tor.html (Zerodium Tor Page)
https://doublepulsar.com/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f (Technical Analysis of SandboxEscaper’s exploit)