A new zero-day flaw has been attributed to Microsoft’s Windows 10 platform. Detailed by the US Computer Emergency Response Team (CERT), the vulnerability is within the Windows task scheduler API. The problem could allow an attacker to alter permissions and gain wider system access.
While CERT detailed the flaw, it was discovered by SandBoxEscaper, who also provided a Proof-of-concept (PoC) for the problem.
Firstly, to exploit the vulnerability, the bad actor would need to be local and using the PC. However, the problem is still worrying. The flaw is buried in the Windows 10 task scheduler and means the API function is not checking for permissions.
CERT discussed the vulnerability earlier this week and stated there is no current patch available.
Here is the alpc bug as 0day: https://t.co/m1T3wDSvPX I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.
— SandboxEscaper (@SandboxEscaper) August 27, 2018
Specifically, the vulnerability is located on 64-bit versions of Windows 10 and Server 2016. A problem in Advanced Local Procedure Call (ALPC) is not checking for permissions, meaning a users could alter permission to gain access to the system.
“We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems,” according to a note issued Monday by CERT. “Compatibility with other Windows versions may be possible with modification of the publicly-available exploit source code.”
Exploiting Open Access
Windows 10 includes a task scheduler that allows users to schedule when programs will launch. The file SchRpcSetSecurity is an open access part of the interface. This allows anyone with local access to set file permissions on the machine.
Another researcher, Kevin Beaumont confirmed the problem exists and explained how it could be exploited:
“This exploit misuses SchRpcSetSecurity to alter permissions (I wouldn’t recommend running it a live system by the way) to allow a hard link to be created, and then calls a print job using XPS printer (installed with Windows XP Service Pack 2+) to call the hijack DLL as SYSTEM (via the Spooler process).”