Zero-Day Local Privilege Escalation Flaw Confirmed in Window 10 Systems
A zero-day flaw was disclosed on Monday regarding the Windows Task Scheduler in 64-bit Windows 10 and Windows Server 2016 systems for which there are no known patches or specific workarounds.
A vulnerability note to that effect was published on Tuesday by the U.S. Computer Emergency Readiness Team (CERT). Researcher Will Dormann, a vulnerability analyst with CERT/CC, confirmed that the exploit code works on those systems, adding that it may be possible to modify the code to run on other Windows versions. The exploit code allows an attacker with local user access privileges to gain system access privileges. The flaw specifically resides in the Advanced Local Procedure Call interface, he added.
Security researcher Kevin Beaumont provided an analysis of the exploit code, saying that it "misuses SchRpcSetSecurity to alter permissions." It uses the Print Spooler service to gain system access privileges using hard links. "Essentially if you can alter permissions and create hardlinks you can do a bunch of Bad Things(tm)," he wrote.
Organizations can use Sysmon to detect if the exploit is actively being used, Beaumont explained:
If you use Microsoft Sysmon, look for spoolsv.exe spawning abnormal processes -- it's a sure sign this exploit is being used (or another Spooler exploit). Similarly if you use Sysmon, look for connhost.exe (Task Scheduler) spawning under abnormal processes (e.g. the Print Spooler).
An attacker would need to have local access permissions beforehand to carry out such an attack, according to Beaumont.
The exploit had been posted on GitHub but was later removed. Beaumont reposted the code at this GitHub page. The author of the exploit had announced it via the SandBoxEscaper Twitter handle, expressing frustrations about life and submitting exploits to Microsoft.
The exploit apparently wasn't vetted beforehand by Microsoft as part of the usual responsible disclosure approach advocated by security researchers. There appears to be no response published at the Microsoft Security Response Center or other security venues. However, Microsoft did send a general statement saying that it looks into security issues and addresses them during its Update Tuesday releases, which was published in this ZDNet article. Microsoft also told The Register that it will "proactively update" devices as soon as possible.
Beaumont vaguely mentioned a few general mitigation strategies to adopt, such as not allowing untrusted users to run code on systems, but he noted that Microsoft will have to address the problem, which "will probably happen in a few weeks."
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.