Exploit developer SandboxEscaper reveals Windows 10 Task Scheduler zero-day -- and says there are more to come

Windows 10 box with bugs

Well-known security researcher and revealer of exploits SandboxEscaper has released details of a Windows 10 zero-day that affects Task Scheduler. This is far from being the first time we've heard from SandboxEscaper, and this time around the exploit could enable an attacker to gain full control of Windows 10 or Windows Server files.

The researcher has previously revealed details of numerous other security vulnerabilities in Windows, and promises: "I have four more unpatched bugs where that one came from". Furthermore, she says: "I'm donating all my work to enemies of the US".

SandboxEscaper shared her most recent findings on GitHub and also boasted about it on her Blogspot blog. The latest exploit takes advantage of the fact that Task Scheduler can import legacy .JOB files. A video posted to GitHub show a proof of concept for the exploit:

The method has been tested by others and found to be successful:

The exploit is neatly summed up by BleepingComputer:

What happens is that Task Scheduler imports a JOB file with arbitrary DACL (discretionary access control list) control rights. In lack of a DACL, the system grants any user full access to the file.

The researcher explains that the bug is exploitable by importing legacy task files into the Task Scheduler on Windows 10. Running a command using executables 'schtasks.exe' and 'schedsvc.dll' copied from the old system leads to a remote procedure call (RPC) to "_SchRpcRegisterTask" - a method that registers a task with the server, exposed by the Task Scheduler service.

In a blog post, entitled simply "New bug", SandboxEscaper said:

New bug

https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe

If any non-western people want to buy LPEs, let me know. (Windows LPE only, not doing any other research nor interested in doing so). Won't sell for less then 60k for an LPE.

Contact: Sandboxescaper@protonmail.com

I don't owe society a single thing. Just want to get rich and give you fucktards in the west the middlefinger.

Microsoft is yet to respond to the revelation, but will undoubtedly release a patch in due course -- although the company has been beaten to the punch on more than one occasion recently by 0patch.

Image credit: g0d4ather and StockSmartStart / Shutterstock

© 1998-2019 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.