HomeWinBuzzer NewsWindows 10 Task Scheduler Flaw Could Give Attackers System Access

Windows 10 Task Scheduler Flaw Could Give Attackers System Access

A zero-day Windows 10 flaw shows a problem in the task scheduler which means bad actors could use local access to change system permissions.

-

A new flaw has been attributed to 's platform. Detailed by the US Computer Emergency Response Team (CERT), the vulnerability is within the Windows task scheduler API. The problem could allow an attacker to alter permissions and gain wider system access.

While CERT detailed the flaw, it was discovered by SandBoxEscaper, who also provided a Proof-of-concept (PoC) for the problem.

Firstly, to exploit the vulnerability, the bad actor would need to be local and using the PC. However, the problem is still worrying. The flaw is buried in the Windows 10 task scheduler and means the API function is not checking for permissions.

CERT discussed the vulnerability earlier this week and stated there is no current patch available.

https://twitter.com/SandboxEscaper/status/1034125195148255235

Specifically, the vulnerability is located on 64-bit versions of Windows 10 and Server 2016. A problem in Advanced Local Procedure Call (ALPC) is not checking for permissions, meaning a users could alter permission to gain access to the system.

“We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems,” according to a note issued Monday by CERT. “Compatibility with other Windows versions may be possible with modification of the publicly-available exploit source code.”

Exploiting Open Access

Windows 10 includes a task scheduler that allows users to schedule when programs will launch. The file SchRpcSetSecurity is an open access part of the interface. This allows anyone with local access to set file permissions on the machine.

Another researcher, Kevin Beaumont confirmed the problem exists and explained how it could be exploited:

“This exploit misuses SchRpcSetSecurity to alter permissions (I wouldn't recommend running it a live system by the way) to allow a hard link to be created, and then calls a print job using XPS printer (installed with Windows XP Service Pack 2+) to call the hijack DLL as SYSTEM (via the Spooler process).”

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News