Microsoft Windows Zero-Day Found in Task Scheduler

A zero-day flaw recently disclosed in Microsoft’s Windows task scheduler could enable a bad actor to gain elevated privileges. The flaw, which was disclosed Monday on Twitter, does not yet have a patch.

The issue exists in the Advanced Local Procedure Call (ALPC) interface of Microsoft Windows task scheduler in 64-bit operating systems (Windows 10 and Server 2016). Essentially, the API function of ALPC does not check permissions, so that any potential local bad actor can alter them.

“We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems,” according to a note issued Monday by CERT. “Compatibility with other Windows versions may be possible with modification of the publicly-available exploit source code.”

The flaw was first disclosed Tuesday by Twitter user SandBoxEscaper, who also linked to a GitHub page with the for the flaw.

Here is the alpc bug as 0day: I don’t fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.

Exploit Breakdown

Researcher Kevin Beaumont confirmed the vulnerability with a breakdown of the exploit: “This exploit misuses SchRpcSetSecurity to alter permissions (I wouldn’t recommend running it a live system by the way) to allow a hard link to be created, and then calls a print job using XPS printer (installed with Windows XP Service Pack 2+) to call the hijack DLL as SYSTEM (via the Spooler process).”

Task scheduler is a function of Microsoft Windows that gives users the ability to schedule the launch of programs at pre-determined times. Its ALPC interface is essentially a process communication facility used by Windows OS components for message-transferring.

One part of this interface, SchRpcSetSecurity is open for access, so that anyone can set an arbitrary discretionary access control list, meaning they can set local file permissions.

The flaw does come with limitations – in order to gain elevated privileges, a bad actor would need to be local and exploitation needs prior code execution. Also, the exploit would need modifications to work on OSes other than 64-bit (i.e., 32-bit OS). “Also it hard-codes prnms003 driver, which doesn’t exist on certain versions (e.g. on Windows 7 it can be prnms001),” said Beaumont.

The problem also was confirmed by vulnerability analyst Will Dormann, who said the PoC works for a “fully-patched 64-bit Windows 10 system.”

I’ve confirmed that this works well in a fully-patched 64-bit Windows 10 system.
LPE right to SYSTEM!

The flaw is rated between 6.4 to 6.8 on the CVSS metrics system, which means that it is “medium” severity.

CERT/CC said it is currently unaware of a practical solution to this problem. Microsoft, for its part, told Threatpost its standard policy is to update during its regularly-scheduled Patch Tuesday release.

“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible,” a Microsoft spokesperson told Threatpost. “Our standard policy is to provide solutions via our current Update Tuesday schedule.”