Microsoft Task Scheduler contains a local privilege escalation vulnerability in the ALPC interface
Privilege Escalation is the process where an attacker can move vertically or horizontally to obtain different privileges within the system they are attacking. If the move is horizontally, it means they will not have more privileges than before but will have the same privileges under a different set of credentials (user account). When the move is vertically, it is called Privilege Escalation; the attacker will have more privileges such as SYSTEM/root. Privilege Escalation poses a great risk, since it usually gives the threat actor control of the whole system.
Windows Task Scheduler
The Windows Task Scheduler enables you to automatically perform routine tasks on a chosen computer by monitoring whatever criteria you choose to initiate the tasks (triggers), and then executing the tasks when the criteria is met. Windows Task Scheduler is typically automatically installed with several Microsoft operating systems.
Microsoft Task Scheduler SchRpcSetSecurity API contains a vulnerability in the handling of the Advanced Local Procedure Call (ALPC), which can allow an authenticated user to overwrite the contents of a file that should be protected by filesystem ACLs. This can be leveraged to gain SYSTEM privileges. This publicly available exploit code is confirmed to work on 64-bit Windows 10 and Windows Server 2016 systems. The exploit also is confirmed to work on 32-bit Windows 10 with minor modifications. Additionally, compatibility with other Windows versions is possible with further modifications.
There are indicators the vulnerability is being exploited by malicious threat actors.
The tasks created by the Task Scheduler will create a corresponding folder/file under “c:\windows\system32\tasks”. There are indications that it was designed to write the Discretionary Access Control List (DACL) of the tasks, by impersonating. However, it’ll also check if a “.job” file exists under “c:\windows\tasks” and try to set the DACL while not impersonating. Since a user, even belonging to the guests group, can create files in folder previously mentioned, simply creating a hardlink to another file (with read access to it) and letting the Task Scheduler to write an arbitrary DACL to the file pointed by the hardlink will give us the possibility to pivot into full control and overwrite it.
The Exploit Proof of Concept published online has an enumerating PowerShell script to help identifying files to take control over.
What to Do
Contact LIFARS if you want to ensure your systems are not vulnerable to this exploit. To increase your cyber resiliency, LIFARS has a variety of services available including threat hunting, penetration testing, secure code review, cloud security compliance, amongst others. If you have a cyber incident or breach, call the LIFARS incident response hotline immediately at +1 212 222 7061 for help.
Image credits: Windows Central.