The local privilege-escalation (LPE) zero-day bug in Microsoft Task Scheduler, disclosed by SandboxEscaper on Twitter in late May by way of making public a fully functioning exploit, now has a micropatch.
The interim fix, from 0patch, was issued Tuesday to address the vulnerability. The bug would allow LPE via importing legacy tasks from other systems into the Task Scheduler utility.
Mitja Kolsek, co-founder of 0patch and CEO of Arcos Security, told Threatpost that the bug (which he dubbed “BearLPE” after SandboxEscaper’s Polar Bear-related blog title) is in most ways is a typical LPE flaw; it allows a low-privileged user on the computer to arbitrarily modify any file, including system executables.
“Since these are executed in high-privileged context, the attacker’s code can get executed and, for instance, promote the attacker to local administrator or obtain covert persistence on the computer,” said Kolsek.
However, there’s more to it than that. While successful exploitation requires that the attacker must know a valid username and password on the target computer (requiring some reconnaissance or a lucky guess of a Windows domain user’s credentials), the attack gives an adversary access to highly privileged files that usually only SYSTEM and TrustedInstaller have ownership over. It could also realistically be chained with comparatively more common and cheap exploits for remote access, researchers told Threatpost – making it a potentially very dangerous flaw.
The micropatch addresses the issue by cutting off a remote procedure call (RPC) called “SchRpcSetSecurity.” The original exploit works by making an RPC call to “SchRpcRegisterTask,” which is exposed by the Task Scheduler service. However, in tweaking this function to thwart the exploit, 0patch discovered that a call is made to the also-exposed “SchRpcSetSecurity” if the original call to “SchRpcRegisterTask” fails – which SandboxEscaper uses as a kind of back-up mechanism to ensure successful exploitation.
“It looked like some monitoring thread was used for getting the job done when the original call failed, but this thread was not called via RPC, and client impersonation could not be used there,” explained Kolsek, in a posting on Tuesday. “We therefore decided on a more drastic approach and simply amputated the call to SetSecurity…after that, we got the desired behavior.” He added, “Since we didn’t even touch schedsvc.dll, the new (non-legacy) Task Scheduler functionality was not affected at all.”
The micropatch is available for Windows 10 machines only – but there’s a reason for that.
“While Windows 8 still contains this vulnerability, exploitation using the publicly-described technique is limited to files where the current user has write access, in our testing,” Kolsek said. “As such, the impact on Windows 8 systems using the technique used by the public exploit appears to be negligible. We have not been able to demonstrate the vulnerability on Windows 7 systems.”
The exploit for the flaw was the first in a string of recent exploits from SandboxEscaper, who said that she’d like to sell these kinds of weapon for $60,000 to non-Western buyers (as of this writing, the exploit code has been removed from Github). Shortly after making the BearLPE exploit public, she released three more plus an exploit for a Windows Internet Explorer bug. Of these, 0patch is only working on one fix.
“‘angrypolarbearbug2‘ is not a 0day, as it was fixed by May 2019 Windows Updates,” a spokesperson said via email. “InstallerBypass – we were unable to reproduce it and know of no one being successful at that (it could be just really difficult to reproduce, or depending on some external factors that were not present in our testing environment); and ‘sandboxescape’ we were able to reproduce but don’t consider it a critical enough bug for micropatching.”
The fourth is a bypass bug that 0patch was able to verify and is analyzing for micropatching. It’s a bypass for a previously released patch addressing a Windows permissions-overwrite, privilege-escalation flaw (CVE-2019-0841). The bug exists because Windows AppX Deployment Service (AppXSVC) improperly handles hard links.
SandboxEscaper has a history of releasing fully functional Windows zero-days. Last August, she debuted another Task Scheduler flaw on Twitter, which was quickly exploited in the wild in a spy campaign just two days after disclosure.
In October, SandboxEscaper released an exploit for what was dubbed the “Deletebug” flaw, found in Microsoft’s Data Sharing Service (dssvc.dll). And towards the end of 2018 she offered up two more: The “angrypolarberbug,” which allows a local unprivileged process to overwrite any chosen file on the system; and a vulnerability allows an unprivileged process running on a Windows computer to obtain the content of arbitrary file – even if permissions on such file don’t allow it read access.