Exploit Programmer SandboxEscaper has quietly released a new zero day exploitation for Windows operating system just one week after Microsoft's monthly security update cycle.
This venture is the fifth in a row that started at the end of August last year. Provides local escalation privileges, providing limited user access to full control over files reserved for full-featured users such as SYSTEM and TrustedInstaller.
Incorrect file files
Once again, SandboxEscaper focuses on the Task Scheduler utility and uses it to import old tasks from other systems. In the days of Windows XP tasks were in .JOB format and can still be added to newer versions of the operating system.
What happens is that a Task Scheduler imports a JOB file with arbitrary DACL (discretionary access control list) control rights. In the absence of DACL, the system gives every user full access to the file.
The investigator explains that the error can be exploited by running the task files in task scheduler in Windows 10. Launching commands using executable files & # 39; schtasks.exe & # 39; the schedsvc.dll & # 39; copied from the old system to the remote procedure call (RPC)) to "_SchRpcRegisterTask" – a method that registers the task with the server that is exposed to the Scheduler task.
"I assume you can simply invoke this bug to run this function directly without using schtasks.exe to copy from Windows XP .. but I'm not big in the back," SandboxEscaper said.
She added that what starts with restricted privileges ends with system rights when it comes to a particular function. To prove the correctness of its work, it shared a video that shows PoC in action on Windows x86.
Will Dormann, a CERT / CC vulnerability analyst, explains explanations by saying that the code for checking the SandboxEscap concept uses vulnerabilities in the Windows 10 Task Scheduler "where SetSecurityInfo () is set to a task that is imported into the legacy."
"Exploits a call at once, deletes the file, and then calls back with an NTFS firm link that points to a file that gets licenses underlined with SetSecurityInfo ()," said the security expert for BleepingComputer.
Dormann tested the exploit code and confirmed that it worked without any modification on the compromised Windows 10 x86, with a performance rate of 100%.
I can confirm that this works as-is on a completely skinned (May 2019) Windows 10 x86 system. A file that was previously under full control by SYSTEM and TrustedInstaller is now fully controlled by a limited Windows user.
It runs fast and 100% time in my testing. pic.twitter.com/5C73UzRqQk
– Will Dormann (@wdormann) May 21, 2019
To work on 64-bit Windows 10, the first code needs to be compiled again, but the same result is logged, just like in Server 2016 and 2019. t
The only versions of the operating system that Dormann could not play with SandboxEscaper are Windows 8 and 7.
More days can come
The developer announced on his blog that there are four more unpublished bugs on the day zero. Three of them are vulnerabilities in local escalation privileges (LPE) that lead to code execution, and the fourth is a sandbox for escape.
Oh, and I have 4 more scum in this one.
3 LPEs (they all get code exec as a system, not the cracks to erase bugs or anything else), and one sandbox to escape.
It seems they want to sell them to non-western customers and trade LPE bugs for at least 60,000 each. It is not clear whether the currency for a potential transaction is the US dollar or the euro.
If any non-western people want to buy LPEs, let me know. (Windows LPE only, does not do any other research, or is interested in it). It will not be sold for less than 60k for LPE.
I do not owe anything to society. I just want to enrich you and give you the middle finger of the west.
Though this is a bold statement, SandboxEscaper has a history of publishing zero days.
Her first zero day exploitation was also publicly released for the task in the Task Scheduler. The second, released at the end of October 2018, allowed the deletion of any files on the system, regardless of the privileges of the users who had them.
Third exploitation follows before Christmas, allowing attackers to read any files on a system-level access system. The fourth exploitation code came a day before the end of the year and enabled the replication of arbitrary data files.