‘BlueHammer’ Exploit Targets Windows, Potentially Impacting 1 Billion+ Devices
‘BlueHammer’ Exploit Targets Windows, Potentially Impacting 1 Billion+ Devices
A disgruntled security researcher has made good on a threat.
A security researcher going by the aliases Chaotic Eclipse and Nightmare-Eclipse published exploit code for a Windows privilege escalation vulnerability. The flaw, dubbed BlueHammer, has no official patch from Microsoft, making it a zero-day vulnerability.
“I was not bluffing Microsoft and I’m doing it again,” Chaotic Eclipse wrote in a post accompanying the release. “Unlike previous times, I’m not explaining how this works, yall geniuses can figure it out. Also, huge thanks to MSRC leadership for making this possible.”
The MSRC is Microsoft’s Security Response Center, the team responsible for handling vulnerability reports.
BlueHammer is what experts call a local privilege escalation flaw. Meaning, if an attacker already has some access to a Windows computer, even just as a regular, low-privilege user, they can use this exploit to gain SYSTEM-level control. That’s the highest level of access on a Windows machine.
Will Dormann, principal vulnerability analyst at Tharros (formerly Analygence), confirmed to BleepingComputer that the exploit works. He described it as a combination of two technical issues: a TOCTOU (time-of-check to time-of-use) bug and a path confusion problem.
“At that point, [the attackers] basically own the system, and can do things like spawn a SYSTEM-privileged shell,” Dormann told BleepingComputer.
Once attackers reach that level, they can access the Security Account Manager (SAM) database, which stores password hashes for local accounts. From there, full machine takeover is just a few steps away.
Why is the researcher furious?
The exact trigger for the public release remains unclear. But the researcher’s frustration with Microsoft is impossible to miss.
On April 3, Nightmare-Eclipse published the exploit on GitHub and wrote: “I’m just really wondering what was the math behind their decision, like you knew this was going to happen and you still did whatever you did ? Are they serious ?”
Earlier, on March 26, the researcher using the alias “deadeclipse666” posted a threatening message on Blogspot: “I never wanted to reopen a blog and a new github account to drop code. But someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.”
The posts suggest a prior relationship with Microsoft, possibly a bug bounty arrangement that turned sour.
Will Dormann offered a possible explanation on Mastodon, as reported by Security Affairs, “SRC used to be quite excellent to work with. But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn’t be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that’s apparently an MSRC requirement now.”
Submitting a video demonstration of a working exploit is reportedly a requirement for vulnerability reporters dealing with Microsoft.
Microsoft responds
Microsoft has not yet issued a patch or detailed advisory for BlueHammer, but provided a general statement: “Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible.
We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community.”
Also read: Microsoft’s emergency fix for critical Windows 11 RRAS vulnerabilities shows how quickly unpatched flaws can turn into urgent security problems.
About Author
