Proof-of-Concept Exploit for Windows Task Scheduler Published

A security researcher released proof-of-concept code that would allow for a user to exploit a flaw in the Windows Task Scheduler.

The flaw was discovered by Github user SandboxEscaper, who was also responsible for publishing the proof-of-concept (PoC) code. The flaw, a local privilege escalation vulnerability, was found in the Advanced Local Procedure Call (ALPC) interface. If a hacker were to exploit the flaw, they could elevate malware from a USER role to a SYSTEM account. This promotion would give the hacker full access to the system.

The Task Scheduler API function SchRpcSetSecurity does not check permissions, which would allow any user, including a guest, to call the function and set file permissions locally.

SandboxEscaper’s code would allow SYSTEM access to gain on any Windows 64-bit system. All Windows 10 64-bit users are vulnerable to an attack. The exploit works on all Windows Server 2016 systems, but not on Windows 32 versions. Security researchers have not confirmed if it is possible to alter the code the exploit code to work on different Windows versions.

SandboxEscaper did not notify Microsoft of the flaw before publishing the PoC exploit. However, the company have since stated that they are aware of the flaw, and their researchers are working on a patch for all affected devices.
There is no fix available for the vulnerability at present. Microsoft is likely to address the issue in the next Patch Tuesday on September 11, unless they deem the flaw so severe that it warrants an emergency patch. There is currently not thought to be a practical solution that can be implemented until the release of a patch to protect vulnerable users.

A medium severity CVSSv3 base score of 6.8 was assigned to the vulnerability.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Emma Taylor

Emma Taylor is the contributing editor of Defensorum. Emma started on Defensorum as a news writer in 2017 and was promoted to editor in 2022. Emma has written and edited several hundred articles related to IT security and has developed a deep understanding of the sector. You can follow Emma on https://twitter.com/defensorum and contact Emma at emmataylor@defensorum.com.
Twitter