Breaking News

SandboxEscaper is back with a new Windows Zero-Day in Task Scheduler

SandboxEscaper is back with a new Windows Zero-Day in Win 10 Task Scheduler

The developer SandboxEscaper makes the line again, this time he publicly released the exploit code for a Windows zero-day that affect the Windows 10 Task Scheduler.

Since August 2018, the expert already revealed other four Windows zero-day vulnerabilities without reporting them to Microsoft before disclosing them to the public,

The new zero-day was disclosed a week after Microsoft as released its monthly Patch Tuesday Security updates.

Like the Windows zero-day disclosed in August, this new issue affects Microsoft Windows Task Scheduler.

SandboxEscaper demonstrated that is possible to trigger the Windows zero-day by using malformed legacy tasks (.JOB format) and importing them in the Task Scheduler utility. and they can still be added to newer versions of the operating system.

Every JOB file is imported by the Task Scheduler with arbitrary DACL (discretionary access control list) control rights.

The experts pointed out that in the absence of the DACL, the system grants any user full access to the file.

There are two folders for tasks, c:\windows\tasks for legacy purposes and c:\windows\system32\tasks used by the task scheduler.

In the old days (i.e windows xp) tasks would be placed in c:\windows\tasks in the “.job” fileformat.

The researcher explains that in order to trigger the flaw it is necessary to import legacy task files into the Task Scheduler on Windows 10. This is possible copying old .job files into c:\windows\tasks running a command using executables ‘schtasks.exe’ and ‘schedsvc.dll’ copied from the old system, it leads to a remote procedure call (RPC) to “_SchRpcRegisterTask.” This function allows registering a task with the server exposed by the Task Scheduler service.

“If on windows 10 you want to import a .job file into the task scheduler you have to copy your old .job files into c:\windows\tasks and run the following command using “schtasks.exe and schedsvc.dll” copied from the old system: “schtasks /change /TN “taskname” /RU username /RP password”

(found this here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/467e5cab-2368-42de-ae78-d86b644a0e71/transfer-scheduled-tasks-to-server-2008?forum=winserverMigration)

This will result in a call to the following RPC “_SchRpcRegisterTask”, which is exposed by the task scheduler service. (I assume that to trigger this bug you can just call into this function directly without using that schtasks.exe copied from windows xp.. but I am not great at reversing 🙁   )” wrote the expert.

“It starts out by impersonating the current user. But when it hits the following function:

int __stdcall tsched::SetJobFileSecurityByName(LPCWSTR
StringSecurityDescriptor, const unsigned __int16 *, int, const unsigned __int16
*)

It starts impersonating itself (NT AUTHORITY\SYSTEM)! And then calls SetSecurityInfo on a task it created in c:\windows\system32\tasks.” he added.

Summarizing, the expert discovered that even starting with limited privileges it is possible to get SYSTEM rights by invoking a specific function. SandboxEscaper published a video PoC of the Windows zero-day that shows how to trigger it on Windows x86.

Will Dormann, vulnerability analyst at CERT/CC, confirmed that the Windows zero-day works on a fully patched (May 2019) Windows 10 x86 system.

Dormann was able to reproduce the issue Recompiling the code on 64-bit Windows 10 and Windows Server 2016 and 2019, only on Windows 8 and 7 it was not possible reproduce it.

Unfortunately for Microsoft, the problems are not ended here, SandboxEscaper announced at least another four Windows zero-day vulnerabilities, Three local privilege escalation (LPE) issues leading to code execution and a sandbox escape.

SandboxEscaoer wants to sell the exploits for the above issue to non-western buyers and asks the Local Privilege Escalation bugs for at least 60,000 each.

“Oh and I have 4 more unpatched bugs where that one came from.
3 LPEs (all gaining code exec as system, not lame delete bugs or whatever), and one sandbox escape.” she wrote

“If any non-western people want to buy LPEs, let me know. (Windows LPE only, not doing any other research nor interested in doing so). Won’t sell for less then 60k for an LPE.”

“I don’t owe society a single thing. Just want to get rich and give you *** in the west the middlefinger.”

Since August, SandboxEscaper has publicly dropped exploits for two Windows zero-day vulnerabilities forcing Microsoft to quickly address them to avoid its users being targeted by hackers.

In October, SandboxEscaper released the proof-of-concept exploit code for Microsoft Data Sharing that allowed a low privileged user to delete critical system files from Windows systems.

In December, she published a proof-of-concept (PoC) code for a new Windows zero-day, it is the fourth she released this year.

Stay tuned …


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SandboxEscaper, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

2 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

6 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

20 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.