June 8, 2019 at 1:31 pm #1709
In the days of Windows XP, tasks were in the .JOB format and they can still be added to newer versions of the operating system.
What happens is that Task Scheduler imports a JOB file with arbitrary DACL (discretionary access control list) control rights. In lack of a DACL, the system grants any user full access to the file.
The researcher explains that the bug is exploitable by importing legacy task files into the Task Scheduler on Windows 10. Running a command using executables ‘schtasks.exe’ and ‘schedsvc.dll’ copied from the old system leads to a remote procedure call (RPC) to “_SchRpcRegisterTask” – a method that registers a task with the server, exposed by the Task Scheduler service.
“I assume that to trigger this bug you can just call into this function directly without using that schtasks.exe copied from windows xp.. but I am not great at reversing,” said SandboxEscaper.
She added that what starts with limited privileges ends up with SYSTEM rights when a particular function is encountered. To prove the validity of her work, she shared a video showing the PoC in action on Windows x86.
“The exploit calls the code once, deletes the file, and then calls it again with an NTFS hard link pointing to the file that gets permissions clobbered with SetSecurityInfo(),”
I can confirm that this works as-is on a fully patched (May 2019) Windows 10 x86 system. A file that is formerly under full control by only SYSTEM and TrustedInstaller is now under full control by a limited Windows user.
Works quickly, and 100% of the time in my testing. pic.twitter.com/5C73UzRqQk
— Will Dormann (@wdormann) May 21, 2019
- You must be logged in to reply to this topic.