SandboxEscaper has released her latest local privilege-escalation exploit for Windows.
A Windows zero-day exploit dropped by developer SandboxEscaper would allow local privilege-escalation (LPE), by importing legacy tasks from other systems into the Task Scheduler utility.
It’s the latest zero-day from SandboxEscaper, who said that she has four more in the hopper that she’d like to sell for $60,000 to non-Western buyers.
Mitja Kolsek, co-founder of 0patch and CEO of Arcos Security, told Threatpost that the bug is a typical LPE flaw, allowing a low-privileged user on the computer to arbitrarily modify any file, including system executables.
“Since these are executed in high-privileged context, the attacker’s code can get executed and, for instance, promote the attacker to local administrator or obtain covert persistence on the computer,” said Kolsek, adding that 0patch is working on releasing a micropatch for the vulnerability as soon as possible. “The only atypical factor is that the attacker must know a valid username and password on the computer because these must be passed to Task Scheduler in order for the exploit to work.”
He added, “This means, for example, that a local corporate user without administrative privileges on their workstation could easily mount such attack, and so would an external attacker who gained remote access to some computer in the network and found or guessed any Windows domain user’s credentials.”
Abusing Legacy Tasks
The exploit, disclosed on Twitter on Tuesday, takes advantage of the fact that old Windows XP tasks in the .JOB format can be imported to Windows 10 via the Task Scheduler. An adversary can run a command using executables ‘schtasks.exe’ and ‘schedsvc.dll’ copied from the old system. This results in a call to a remote procedure call (RPC) called “SchRpcRegisterTask,” which is exposed by the Task Scheduler service.
When a specific function is encountered, called “par int __stdcall tsched::SetJobFileSecurityByName(LPCWSTR StringSecurityDescriptor, const unsigned __int16 *, int, const unsigned __int16 *)par”, it opens the door to gaining system privileges.
“I assume that to trigger this bug you can just call into this function directly without using that schtasks.exe copied from Windows XP,” SandboxEscaper added in her Tuesday writeup. “but I am not great at reversing :(.”
Other researchers have tested the exploit and found it to be valid.
“I can confirm that this works as-is on a fully patched (May 2019) Windows 10 x86 system,” tweeted Will Dormann, a vulnerability analyst at CERT/CC. “A file that is formerly under full control by only SYSTEM and TrustedInstaller is now under full control by a limited Windows user. Works quickly, and 100% of the time in my testing.”
He said it works against a fully patched and up-to-date version of Windows 10, 32 and 64-bit, as well as Windows Server 2016 and 2019. Windows 8 and 7 are not vulnerable, he noted.
Microsoft, for its part, has yet to release an advisory or statement on the bug, which doesn’t yet have a CVE.
More Zero-Days on the Horizon?
SandboxEscaper also announced on her blog that she’s sitting on three other LPE vulnerabilities and another, fittingly, for escaping the Windows sandbox.
“If any non-western people want to buy LPEs, let me know,” she wrote. “(Windows LPE only, not doing any other research nor interested in doing so). Won’t sell for less then 60k for an LPE. I don’t owe society a single thing. Just want to get rich and give you *** in the west the middlefinger.”
SandboxEscaper has a history of releasing fully functional Windows zero-days. Last August, she debuted another Task Scheduler flaw on Twitter, which was quickly exploited in the wild in a spy campaign just two days after disclosure.
In October, SandboxEscaper released an exploit for what was dubbed the “Deletebug” flaw, found in Microsoft’s Data Sharing Service (dssvc.dll). And towards the end of 2018 she offered up two more: The “angrypolarberbug,” which allows a local unprivileged process to overwrite any chosen file on the system; and a vulnerability allows an unprivileged process running on a Windows computer to obtain the content of arbitrary file – even if permissions on such file don’t allow it read access.
“I believe her claim about four more vulnerabilities as she has demonstrated her abilities to find them in the past,” Kolsek told Threatpost.
Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.