A researcher known as “Chaotic Eclipse” published a proof-of-concept exploit called RedSun that abuses Microsoft Defender’s cloud file behavior to achieve local privilege escalation and obtain SYSTEM on fully patched Windows 10, Windows 11, and Windows Server. The release, following a prior BlueHammer PoC, was made in protest of the researcher’s treatment by Microsoft’s vulnerability response process. #RedSun #ChaoticEclipse
Keypoints
- Chaotic Eclipse released a RedSun PoC that grants SYSTEM privileges on fully patched Windows 10, Windows 11, and Windows Server when Defender is enabled.
- The exploit leverages Microsoft Defender’s cloud tag behavior and the Cloud Files API to overwrite system files and run a planted TieringEngineService.exe as SYSTEM.
- Will Dormann confirmed the exploit works, describing use of an oplock, a volume shadow copy race, and a directory junction to redirect the file rewrite.
- Some antivirus engines detected the PoC because it contained an embedded EICAR string, and detections were reduced after encrypting that string.
- The researcher published RedSun and a previous BlueHammer PoC in protest of how Microsoft’s Security Response Center handles coordinated vulnerability disclosure; Microsoft reiterated its commitment to investigate and patch reported issues.