Flaw can be exploited with a ‘100 per cent success rate’
A SECURITY RESEARCHER has released details of a zero-day vulnerability affecting the Task Scheduler in Windows 10.
The security flaw could enable attackers to gain full control of either Windows 10 or Windows Server files, she has warned.
SandboxEscaper, the moniker of the researcher who discovered the vulnerability, shared the demo exploit code on GitHub. The zero-day is basically a local privilege escalation (LPE) flaw that can be exploited by hackers to elevate their level of access on compromised systems.
According to SandboxEscaper, the vulnerability lies in the Windows Task Scheduler process and could enable attackers to take advantage of the Task Scheduler’s ability to import legacy .job files with arbitrary discretionary access control list (DACL) control rights.
When a .job file lacks a DACL, the system can grant a user full access to the file.
Hackers can execute a malicious .job file to exploit this zero-day flaw. That would elevate attacker’s low-privileged account to admin access, and eventually grant them access over the full system.
The exploit can reportedly work on earlier Windows operating systems, such as Windows XP and Windows Server.
SandboxEscaper shared a video to demonstrate the proof-of-concept in action on Windows x86.
“The exploit calls the code once, deletes the file, and then calls it again with an NTFS hard link pointing to the file that gets permissions clobbered with SetSecurityInfo(),” Will Dormann, a security expert at CERT/CC told BleepingComputer.
Dormann had tested the exploit code and found it working on a patched Windows 10 x86 system, with a 100 per cent success rate. The code also works on a 64-bit Windows 10 system after recompilation, and the results are similar to those obtained with Server 2016 and 2019.
The vulnerability discovered by SandboxEscaper is the fifth in a series that started in August last year. At that time, SandboxEscaper released four other Windows zero-days, namely, LPE in Advanced Local Procedure Call, LPE in Microsoft Data Sharing, LPE in ReadFile, and LPE in the Windows Error Reporting system.
Microsoft issued fixes for all these flaws within one or two months after they were publically released.
SandboxEscaper also claims that she has discovered four other zero-day flaws (not yet undisclosed), of which three are LPE vulnerabilities and the fourth one is a sandbox escape. µ
Source : Inquirer