New Windows 10 Security Exploit
A security researcher who has a history of releasing zero day exploits for Windows operating systems has again struck. This happened just days after the Patch Tuesday security updates were released. It’s unlikely that Windows 10 users will have a fix before June 11, at the earliest. What did SandboxEscaper do? What are the risks? Is there something worse?
Exploit published a Task Scheduler vulnerability leak that allowed attackers to perform a local privilege elevation (LPE) and take complete control of the fully patched current Windows 10 version.
Sanboxescaper focused on the Task Scheduler and exploited a bug in Windows 10. He called an RPC* Function “SchRpcRegisterTask”, which registers a task with a server. This function is exposed by task scheduler.
What should you do?
Table of Contents
1. Don’t panic! Don’t panic! Anything that interacts with task scheduler will be very obvious and easy to spot. Many enterprises have many additional security controls/behaviour monitoring that will keep you “safe”.
What should you do at your home?
Make sure your security software is current and avoid using “cracked” software. Avoid unsecure websites and don’t allow macros to be enabled from e-mails ( beware of phishing attacks).
*Remote Procedure call (RPC) allows one program to request a service from another program on a network, without needing to understand the details of the network.
Technical Details
Base on SandboxEscaper tasks are placed in c.windowstasks under the “.job” file format. To import a.job file to the task scheduler on Windows 10, you will need to copy your.job files to c:windowstasks. Next, run the following command using “schtasks.exe” and “schedsvc.dll”, both copied from the old system.
An attacker can create a malformed.job files that exploits a flaw within the Task Scheduler process to change DACL (discretionary Access Control List) permissions for an individual folder.
The vulnerability can be exploited to give a hacker admin access. This gives the hacker access to the entire system.
SandboxEscaper warned that she found more Zero-day’s, and it’s on the way.
“Oh, and there are 4 more unpatched bugs from the same source.
Three LPEs (all gaining codes exec as systems, not lame delete bugs) and one sandbox escape.
A security researcher who has a history of releasing zero day exploits for Windows operating systems has again struck. This happened just days after the Patch Tuesday security updates were released. It’s unlikely that Windows 10 users will have a fix before June 11, at the earliest. What did SandboxEscaper do? What are the risks? Is there something worse?
What just happened?
SandboxEscaper, a security researcher, has posted online a proof-of-concept demo of a Windows zero day exploit. This local privilege escalation exploit (LPE), is the fifth in a series that SandboxEscaper dropped into Windows over the past year. Although this latest proof of concept does not allow anyone to access your computer, it does provide a way for those who wish to do so to raise their system privileges to administrator level and grant them full access to your data.
SandboxEscaper used Windows Task Scheduler previously for malicious purposes. This latest zero-day is no different. It uses it to import a malformed task files and exploit a vulnerability in Task Scheduler’s handling of discretionary access control lists (DACL) rights for such files.