UPDATE
A Windows zero-day exploit dropped by developer SandboxEscaper would allow local privilege-escalation (LPE), by importing legacy tasks from other systems into the Task Scheduler utility.
It’s the latest zero-day from SandboxEscaper, who said that she has four more in the hopper that she’d like to sell for $60,000 to non-Western buyers [Ed. Note: She made good on the claim by releasing more code a day after this report].
Mitja Kolsek, co-founder of 0patch and CEO of Arcos Security, told Threatpost that the bug in most ways is a typical LPE flaw, allowing a low-privileged user on the computer to arbitrarily modify any file, including system executables.
“Since these are executed in high-privileged context, the attacker’s code can get executed and, for instance, promote the attacker to local administrator or obtain covert persistence on the computer,” said Kolsek, adding that 0patch is working on releasing a micropatch for the vulnerability as soon as possible. “The only atypical factor is that the attacker must know a valid username and password on the computer because these must be passed to Task Scheduler in order for the exploit to work.”
He added, “This means, for example, that a local corporate user without administrative privileges on their workstation could easily mount such attack, and so would an external attacker who gained remote access to some computer in the network and found or guessed any Windows domain user’s credentials.”
Adam Kujawa, director of Malwarebytes Labs, told Threatpost that “this is a useful trick for gaining access to files you wouldn’t normally have access to, and are able to delete them or remove them from the system. This can cause a lot of problems, from disabling security software to deleting critical operating system files and potentially breaking the OS.”
The good news is that since exploitation requires access to the system, then attack via scripting and automation, a la EternalBlue, is unlikely. However, Bugcrowd CTO and founder Casey Ellis told Threatpost that it could realistically be chained with comparatively more common and cheaper remote exploits — an endeavor that would be worth an attacker’s efforts since the attack gives an adversary access to files that usually only SYSTEM and TrustedInstaller have ownership over.
“The privilege-escalation ability of SYSTEM or TrustedInstaller is pretty severe… SYSTEM is essentially the God-mode of a windows system, and TrustedInstaller allows future installation of code without interruption,” he said.
Ellis added, “The vulnerability discussed is definitely interesting to a nation-state as part of an exploitation chain, because of its ability to escalate privilege AND to maintain persistence through SYSTEM and TrustedInstaller privileges.”
Abusing Legacy Tasks
The exploit, disclosed on Twitter on Tuesday, takes advantage of the fact that old Windows XP tasks in the .JOB format can be imported to Windows 10 via the Task Scheduler. An adversary can run a command using executables ‘schtasks.exe’ and ‘schedsvc.dll’ copied from the old system. This results in a call to a remote procedure call (RPC) called “SchRpcRegisterTask,” which is exposed by the Task Scheduler service.
When a specific function is encountered, called “\par int __stdcall tsched::SetJobFileSecurityByName(LPCWSTR StringSecurityDescriptor, const unsigned __int16 *, int, const unsigned __int16 *)\par”, it opens the door to gaining system privileges.
“I assume that to trigger this bug you can just call into this function directly without using that schtasks.exe copied from Windows XP,” SandboxEscaper added in her Tuesday writeup. “but I am not great at reversing :(.”
Other researchers have tested the exploit and found it to be valid.
“I can confirm that this works as-is on a fully patched (May 2019) Windows 10 x86 system,” tweeted Will Dormann, a vulnerability analyst at CERT/CC. “A file that is formerly under full control by only SYSTEM and TrustedInstaller is now under full control by a limited Windows user. Works quickly, and 100% of the time in my testing.”
He said it works against a fully patched and up-to-date version of Windows 10, 32 and 64-bit, as well as Windows Server 2016 and 2019. Windows 8 and 7 are not vulnerable, he noted.
Microsoft, for its part, has yet to release an advisory or statement on the bug, which doesn’t yet have a CVE.
More Zero-Days on the Horizon?
SandboxEscaper also announced on her blog that she’s sitting on three other LPE vulnerabilities and another, fittingly, for escaping the Windows sandbox.
“If any non-western people want to buy LPEs, let me know,” she wrote. “(Windows LPE only, not doing any other research nor interested in doing so). Won’t sell for less then 60k for an LPE. I don’t owe society a single thing. Just want to get rich and give you *** in the west the middlefinger.”
SandboxEscaper has a history of releasing fully functional Windows zero-days. Last August, she debuted another Task Scheduler flaw on Twitter, which was quickly exploited in the wild in a spy campaign just two days after disclosure.
In October, SandboxEscaper released an exploit for what was dubbed the “Deletebug” flaw, found in Microsoft’s Data Sharing Service (dssvc.dll). And towards the end of 2018 she offered up two more: The “angrypolarberbug,” which allows a local unprivileged process to overwrite any chosen file on the system; and a vulnerability allows an unprivileged process running on a Windows computer to obtain the content of arbitrary file – even if permissions on such file don’t allow it read access.
“I believe her claim about four more vulnerabilities, as she has demonstrated her abilities to find them in the past,” Kolsek told Threatpost.
SandboxEscaper’s penchant for releasing exploits into the wild apparently without vendor notification may be the most discussion-stirring part of this story, said Kujawa.
“Releasing exploits without giving the developer a heads up first, so they can patch the vulnerability, is like dropping a pile of rocket launchers on the ground at a school then calling the cops afterward and letting them know there is a pile of weapons in the playground,” he said. “In the meantime, lots of kids are blowing up stuff and damage that could have prevented, occurs.”
This posting was updated at 2:51 p.m. ET to include comments from Bugcrowd and Malwarebytes.
Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.