Exploit developer SandboxEscaper reveals Windows 10 Task Scheduler zero-day -- and says there are more to come
Well-known security researcher and revealer of exploits SandboxEscaper has released details of a Windows 10 zero-day that affects Task Scheduler. This is far from being the first time we've heard from SandboxEscaper, and this time around the exploit could enable an attacker to gain full control of Windows 10 or Windows Server files.
The researcher has previously revealed details of numerous other security vulnerabilities in Windows, and promises: "I have four more unpatched bugs where that one came from". Furthermore, she says: "I'm donating all my work to enemies of the US".
SandboxEscaper shared her most recent findings on GitHub and also boasted about it on her Blogspot blog. The latest exploit takes advantage of the fact that Task Scheduler can import legacy .JOB files. A video posted to GitHub show a proof of concept for the exploit:
SandboxEscaper just released this video as well as the POC for a Windows 10 priv esc pic.twitter.com/IZZzVFOBZc
— Chase Dardaman (@CharlesDardaman) May 21, 2019
The method has been tested by others and found to be successful:
I can confirm that this works as-is on a fully patched (May 2019) Windows 10 x86 system. A file that is formerly under full control by only SYSTEM and TrustedInstaller is now under full control by a limited Windows user.
Works quickly, and 100% of the time in my testing. pic.twitter.com/5C73UzRqQk
— Will Dormann (@wdormann) May 21, 2019
The exploit is neatly summed up by BleepingComputer:
What happens is that Task Scheduler imports a JOB file with arbitrary DACL (discretionary access control list) control rights. In lack of a DACL, the system grants any user full access to the file.
The researcher explains that the bug is exploitable by importing legacy task files into the Task Scheduler on Windows 10. Running a command using executables 'schtasks.exe' and 'schedsvc.dll' copied from the old system leads to a remote procedure call (RPC) to "_SchRpcRegisterTask" - a method that registers a task with the server, exposed by the Task Scheduler service.
In a blog post, entitled simply "New bug", SandboxEscaper said:
If any non-western people want to buy LPEs, let me know. (Windows LPE only, not doing any other research nor interested in doing so). Won't sell for less then 60k for an LPE.
I don't owe society a single thing. Just want to get rich and give you fucktards in the west the middlefinger.
Microsoft is yet to respond to the revelation, but will undoubtedly release a patch in due course -- although the company has been beaten to the punch on more than one occasion recently by 0patch.