- Nouvelles de sécurité
- Vulnerabilities & Exploits
- SandboxEscaper Releases Exploit for Zero-Day Vulnerability in Task Scheduler
Days after Microsoft released its monthly Patch Tuesday, a security researcher, going by the handle SandboxEscaper, published an exploit code for a zero-day vulnerability in Windows 10’s Task Scheduler. This is among a string of other proofs of concept (PoCs) and exploit codes for vulnerabilities in Windows 10 disclosed by SandboxEscaper.
Trend Micro’s advanced behavior monitoring solution included in Smart Protection Suites and Worry-Free Business Security proactively thwarts threats that may exploit this vulnerability. Trend Micro customers are advised to enable this feature in their respective products.
Here's the analysis of vulnerability CVE-2019-1069. No in-the-wild attacks have been reported, but Trend Micro is actively monitoring for any indications that the PoC has been weaponized.
Here’s an overview of the security flaw:
The vulnerability is a local privilege escalation flaw in Task Scheduler, a utility that lets users automate and perform tasks at a specified time. The security flaw disclosed by SandBoxEscaper is related to the way the Task Scheduler imports legacy .JOB files (e.g., those imported from Windows XP or Vista), which contains a task’s configurations.
The Task Scheduler service runs at the maximum level of privilege defined by the local machine, namely NT AUTHORITY\SYSTEM. It accepts certain requests via RPC, allowing clients to manage tasks scheduled on the machine. Low-privileged clients can use this interface as well, but they are restricted to defining tasks that will run with credentials possessed by the client.
Task Scheduler stores tasks as files. There are two locations. The first, C:\Windows\Tasks, is a legacy location. The second location, used for all new tasks, is C:\Windows\System32\Tasks. We will call this the “preferred” folder. If an RPC client uses the service to modify a task that is represented in the legacy location C:\Windows\Tasks, then when the service saves the modifications, the task will be migrated to the preferred location of C:\Windows\System32\Tasks.
When saving a task file to the preferred location, the service will set security information on the file granting ownership and full control to the owner of the task. Critically, the Task Scheduler service performs this action using its own highly-privileged SYSTEM token.
The permissions on the two task folders permit all authenticated users to create files within those folders. One consequence of this is that a client can manually place a file in the legacy folder, then make use of the Task Scheduler to have the task migrated to the preferred folder.
This particular combination of behaviors leaves an opening for a hard link attack. The essential steps of the attack are as follows:
Through this, an attacker can gain full control of any local file on all versions of Windows 10.
The vulnerability affects users of these operating systems: 32- and 64-bit Windows 10, Windows Server 2016 and 2019. Windows 8 is also affected, but it is limited to the current user’s access to the files.
Successfully exploiting the vulnerability would allow the attackers to access normally protected files. Since it’s a permissions-related flaw, attackers can also chain this vulnerability to escalate low privileges to admin-level access. This could then be used to hijack the affected system.
Restricting the use of Task Scheduler and enforcing the principle of least privilege help prevent untrusted users from running code on systems/endpoints. Proactively monitoring user activity also helps detect suspicious actions on the system.
For now, Microsoft said they’re currently working on an update that will address the security flaw.
Updated as of June 2, 2019, 6:30 p.m. PDT to include additional analysis on how the vulnerability is triggered.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.