The newly disclosed unpatched Windows zero-day vulnerability is an arbitrary file read issue that could allow a low-privileged user or a malicious program to read the content of any file on a targeted Windows computer that otherwise would only be possible via administrator-level privileges.

The zero-day vulnerability resides in "MsiAdvertiseProduct" function of Windows that’s responsible for generating "an advertise script or advertises a product to the computer and enables the installer to write to a script the registry and shortcut information used to assign or publish a product."

According to the researcher, due to improper validation, the affected function can be abused to force installer service into making a copy of any file as SYSTEM privileges and read its content, resulting in arbitrary file read vulnerability.

"Even without an enumeration vector, this is still bad news, because a lot of document software, like office, will actually keep files in static locations that contain the full path and file names of recently opened documents..," the researcher said.

"Thus by reading files like this, you can get filenames of documents created by other users.. the filesystem is a spiderweb and references to user-created files can be found everywhere.. so not having an enumeration bug is not that big of a deal."

Besides sharing video demonstration of the vulnerability, SandboxEscaper also posted a link to a Github page hosting its proof-of-concept (PoC) exploit for the third Windows zero-day vulnerability, but the researcher's GitHub account has since been taken down.

This is the third time in the past few months SandboxEscaper has leaked a Windows zero-day vulnerability.

In October, SandboxEscaper released a PoC exploit for a privilege escalation vulnerability in Microsoft Data Sharing that allowed a low privileged user to delete critical system files from a targeted Windows system.

In late August, the researcher exposed details and PoC exploit for a local privilege escalation flaw in Microsoft Windows Task Scheduler occurred due to errors in the handling of the Advanced Local Procedure Call (ALPC) service.

Shortly after the PoC released, the then-zero-day vulnerability was found actively being exploited in the wild, before Microsoft addressed it in the September 2018 Security Patch Tuesday Updates.

近日，国外安全研究员 SandboxEscaper又一次在推特上公布了新的Windows 0 day漏洞细节及PoC。这是2018年8月开始该研究员公布的第三个windows 0 day漏洞。此次披露的漏洞可造成任意文件读取。该漏洞可允许低权限用户或恶意程序读取目标Windows主机上任意文件的内容，但不可对文件进行写入操作。在微软官方补丁发布之前，所有windows用户都将受此漏洞影响。

目前该作者的推特账号已被冻结，Github账号已被封禁，但目前该漏洞PoC已公开，请相关用户引起关注。

PoC排查
用户可以使用漏洞验证工具自行排查，详细验证过程可参考下面的视频：https://v.qq.com/x/page/l1355lq4hp7.html

漏洞验证工具可到下面的链接下载：

https://cloud.nsfocus.com/api/krosa/secwarning/files/window任意文件读取漏洞排查工具.zip

防护建议：

call我大机窝。