An anonymous hacker leaked a new Windows zero-day Proofs-of-concept online that exploit the vulnerability resides in the Windows Task Scheduler.
Sanboxescaper, a pseudonym of an unknown hacker who is known for frequently leaking Windows zero-day bugs online, and this is a fifth zero-day bug that has been leaked in a year since August 2018.
In this leak, Exploit published for Task Scheduler vulnerability let attackers perform a local privilege escalation (LPE) and gain complete control of fully patched current version of Windows 10.
Task Scheduler is a component of Microsoft Windows that provides the ability to schedule the launch of programs or scripts at pre-defined times or after specified time intervals.
Sanboxescaper concentrated with the Task Scheduler and exploited the bug in Windows 10 by calling an RPC Function “SchRpcRegisterTask“( a method registers a task with the server) which is exposed by the task scheduler service.
Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network’s details.
It can be achieved by import legacy task files (“.job” file format) with arbitrary DACL Writes from other systems to Windows 10 Task Scheduler.
Arbitrary DACL writes allow a low-privileged user to change the system permissions, eventually, a local user gains complete control of the system.
Sandbox escaper explains, “For example, In the old days (i.e windows xp) tasks would be placed in c:\windows\tasks in the “.job” file format.
“If on windows 10 you want to import a .job file into the task scheduler you have to copy your old .job files into c:windowstasks and run the following command using “schtasks.exe and ‘schedsvc.dll” copied from the old system” “I assume that to trigger this bug you can just call into this function directly without using that schtasks.exe copied from windows xp.. but I am not great at reversing”
Researcher also released a demo video of the LPE zero-day in action. See below: pic.twitter.com/ZX8XWLQ74z
— Catalin Cimpanu (@campuscodi) May 22, 2019
Will Dormann, a Security researcher from US Cert Tested the exploit and confirms that the exploit is 100% working against fully patched Windows 10.
I can confirm that this works as-is on a fully patched (May 2019) Windows 10 x86 system. A file that is formerly under full control by only SYSTEM and TrustedInstaller is now under full control by a limited Windows user.
Works quickly, and 100% of the time in my testing. pic.twitter.com/5C73UzRqQk
— Will Dormann (@wdormann) May 21, 2019
Mitja Kolsek, Co-Founder of 0patch, tested this zero-day and confirmed that “this 0day from SandboxEscaper to work on fully updated Windows 10. The DACL of any chosen file gets altered so that the provided user can arbitrarily modify it.”
We have confirmed this 0day from SandboxEscaper to work on fully updated Windows 10. The DACL of any chosen file gets altered so that the provided user can arbitrarily modify it. https://t.co/AhP9mDwnGs
— 0patch (@0patch) May 22, 2019
This is not an end of Zero-day Leak
SandboxEscaper also warned that She found more Zero-day’s and it’s coming on the way.
“Oh, and I have 4 more unpatched bugs where that one came from.
3 LPEs (all gaining code exec as a system, not lame delete bugs or whatever), and one sandbox escape.”
Also, she said “If any non-western people want to buy LPEs, let me know. (Windows LPE only, not doing any other research nor interested in doing so). Won’t sell for less than 60k for an LPE.”|
“I don’t owe society a single thing. Just want to get rich and give you fucktards in the west the middle finger.”
There is no patch available for this Zero-day Vulnerability at this moment, But we can expect Microsoft to patch this flaw and release an update in next patch Tuesday update on June 12, 2019.