This video shows how 0patch neutralizes the "ReadFile" 0day exploit published in December 2018 by SandboxEscaper. The exploit uses the MsiAdvertiseProduct API to instruct Windows to copy a chosen MSI file to a temporary MSI file in C:\Windows\Installer folder and perform its "advertising" procedure on that file. However, since permissions on said temporary file are such that Everyone can read it, the exploit uses a symlink to trick Windows into copying some file that is otherwise not accessible to attacker - and can then read the content of that file from the temporary MSI file.

Our micropatch redirects the execution of MsiAdvertiseProduct to an existing branch that sets the permissions on the temporary MSI file to be the same as the permissions of the origin file (in our case, the "desktop.ini") - which prevents the attacker from reading it.

More information here: [ Ссылка ]

свернуть