SandboxEscaper Releases Exploit for Zero-Day Vulnerability in Task Scheduler

Days after Microsoft released its monthly Patch Tuesday, a security researcher, going by the handle SandboxEscaper, published an exploit code for a zero-day vulnerability in Windows 10’s Task Scheduler. This is among a string of other proofs of concept (PoCs) and exploit codes for vulnerabilities in Windows 10 disclosed by SandboxEscaper.

Trend Micro’s advanced behavior monitoring solution included in Smart Protection Suites and Worry-Free Business Security proactively thwarts threats that may exploit this vulnerability. Trend Micro customers are advised to enable this feature in their respective products.

Here's the analysis of vulnerability CVE-2019-1069. No in-the-wild attacks have been reported, but Trend Micro is actively monitoring for any indications that the PoC has been weaponized.

Here’s an overview of the security flaw:

What is the vulnerability about?

The vulnerability is a local privilege escalation flaw in Task Scheduler, a utility that lets users automate and perform tasks at a specified time. The security flaw disclosed by SandBoxEscaper is related to the way the Task Scheduler imports legacy .JOB files (e.g., those imported from Windows XP or Vista), which contains a task’s configurations.

How is the vulnerability triggered?

The Task Scheduler service runs at the maximum level of privilege defined by the local machine, namely NT AUTHORITY\SYSTEM. It accepts certain requests via RPC, allowing clients to manage tasks scheduled on the machine. Low-privileged clients can use this interface as well, but they are restricted to defining tasks that will run with credentials possessed by the client. 

Task Scheduler stores tasks as files. There are two locations. The first, C:\Windows\Tasks, is a legacy location. The second location, used for all new tasks, is C:\Windows\System32\Tasks. We will call this the “preferred” folder. If an RPC client uses the service to modify a task that is represented in the legacy location C:\Windows\Tasks, then when the service saves the modifications, the task will be migrated to the preferred location of C:\Windows\System32\Tasks. 

When saving a task file to the preferred location, the service will set security information on the file granting ownership and full control to the owner of the task. Critically, the Task Scheduler service performs this action using its own highly-privileged SYSTEM token. 

The permissions on the two task folders permit all authenticated users to create files within those folders. One consequence of this is that a client can manually place a file in the legacy folder, then make use of the Task Scheduler to have the task migrated to the preferred folder. 

This particular combination of behaviors leaves an opening for a hard link attack. The essential steps of the attack are as follows: 

1. Create a new task.
2. Replace the file in the preferred folder with a hard link to an arbitrary target file.
3. Manually place a new task with the same name into the legacy folder.
4. Use the Task Scheduler RPC interface to migrate the task to the preferred folder. The Task Scheduler service will update the security information on the file in the preferred folder, granting ownership and full control to the attacker. Since this file is actually a hard link, this security information will be applied to the target file. 

Through this, an attacker can gain full control of any local file on all versions of Windows 10.

Is the PoC/exploit working?

Who is affected by this vulnerability?

The vulnerability affects users of these operating systems: 32- and 64-bit Windows 10, Windows Server 2016 and 2019. Windows 8 is also affected, but it is limited to the current user’s access to the files.

What is the vulnerability’s impact?

Successfully exploiting the vulnerability would allow the attackers to access normally protected files. Since it’s a permissions-related flaw, attackers can also chain this vulnerability to escalate low privileges to admin-level access. This could then be used to hijack the affected system.

What can be done to mitigate the risks related to this vulnerability?

Restricting the use of Task Scheduler and enforcing the principle of least privilege help prevent untrusted users from running code on systems/endpoints. Proactively monitoring user activity also helps detect suspicious actions on the system.

For now, Microsoft said they’re currently working on an update that will address the security flaw.

Updated as of June 2, 2019, 6:30 p.m. PDT to include additional analysis on how the vulnerability is triggered.