Malware News Microsoft Windows task scheduler 0-day outed on Twitter

[vtqhtr413]

Content source

https://betanews.com/2018/08/28/windows-bug-task-scheduler-alpc/

A privilege escalation bug has been discovered in Windows' task scheduler and revealed on Twitter. A proof-of-concept has been published, and the vulnerability has been confirmed to be present in a "fully-patched 64-bit Windows 10 system. The security flaw was exposed on Twitter by user SandboxEscaper -- who has since deleted his or her account. An advisory about the vulnerability has been posted on CERT/CC, and Microsoft says that it is working to fix the problem.

In a tweet posted from a now-deleted account, @SandboxExplorer linked to a proof-of-concept on GitHub saying:

Full Story Microsoft Windows task scheduler 0-day outed on Twitter

 

[upnorth]

Great share @BryanB

Vulnerability Note VU#906424 - Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the ALPC interface

 

[Eddie Morra]

I think it would have been a a lot more responsible for the full details to have been held privately for at-least 90 days after notifying Microsoft.

 

[TairikuOkami]

I think it would have been a a lot more responsible for the full details to have been held privately for at-least 90 days after notifying Microsoft.

It is already in the wild, since it was posted by that twitter user, so hidding it would only make it harder for the good guys.

I am glad it fails on mine. With my default setup, explorer.exe crashes, when I allow WMI/unsigned exe/remove policies, it still fails.

 

[Eddie Morra]

It is already in the wild, since it was posted by that twitter user, so hidding it would only make it harder for the good guys.

Apologies, I should have been clearer. I agree with what you are saying.

What I was trying to say earlier was that I think it would have been more responsible for the individual who discovered the vulnerability to have held from sharing the full details publicly until Microsoft knew about it and also had a fair amount of time to patch it.

 

[TairikuOkami]

It is unlikely, that some researches just dropped it there, they know the proper procedures, it looks like 3rd party wishing to stay anonymous. There are many vulnerabilities being exploited, some will be never discovered, some will take years like WMF, either way, it is better to know.

MS takes its time, Google reports vulnerabilities in 10 all the time, after MS fails to fix them within 90 days, not to mention others.

Google Discloses Windows Vulnerability That Microsoft Fails To Patch, Again!

 

[Eddie Morra]

It is unlikely, that some researches just dropped it there, they know the proper procedures

I suspect that the individual may have reported it to Microsoft but got irritated whilst doing this and then decided to leak it - maybe they didn't want to provide a bug bounty reward - because the initial tweet showed a lot of unhealthy aggressive emotion.

 

[upnorth]

I agree @Vendula Kubová as the tweet was odd but I'm sure we will see a patch for this real soon.

Here's a bit more interesting information.

Task Scheduler ALPC exploit high level analysis – DoublePulsar

 

[upnorth]

Vulnerability Note VU#906424 - Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the ALPC interface

 

[LASER_oneXM]

source: Temporary Patch Available for Recent Windows Task Scheduler ALPC Zero-Day

Earlier this week a security researcher released exploit code for a Windows zero-day affecting the Task Scheduler ALPC interface. Today, cyber-security firm Acros Security published a temporary fix (called a micropatch) that prevents exploitation of that particular zero-day.
Users can apply the temporary patch by downloading and installing the 0patch Agent client.

Micropatch currently available for latest Windows 10 only

The patch is only available for users of 64-bit Windows 10 v1803 versions, Mitja Kolsek, CEO of Acros Security, told Bleeping Computer today via email.

"We're releasing a Windows Server 2016 micropatch tomorrow," Kolsek said.

 

[upnorth]

Sweet tool. Now I can finally get rid of Heimdal.

Will be interesting to see if it actually works for the ALPC exploit. Thanks for the share @LASER_oneXM

 

[Andy Ful]

I tried the exploit on my Windows 10 ver. 1803 64-bit test system (UAC set to max). It worked as expected and the payload could elevate to the System Rights (no UAC prompt). It worked also on SUA with UAC max setting, so this is one of exceptional UAC bypasses. It requires the command line, so can be executed via CMD, PowerShell, shortcut, etc. Yet, both the payload and the exploit have to be run on the system.
The users who use default-deny setup are protected against all similar threats, because the exploit injector and the payload will not be executed at all.

 

[upnorth]

I tried the exploit on my test system (UAC set to max) - worked as expected and the process could elevate to the System Rights (no UAC prompt). It worked also on SUA with UAC max setting, so this is one of exceptional UAC bypasses. It requires the command line, so can be executed via CMD, PowerShell, shortcut, etc.
The users who use default-deny setup are protected against all similar threats, because the exploit injector will not be executed at all.

Thanks @Andy Ful I guess it also works on Guest. Did you test if the code from 0patch or the one from Karsten Nilsen worked?

 

[Andy Ful]

...
Did you test if the code from 0patch or the one from Karsten Nilsen worked?
...

Unfortunately, no. I am busy now with another project.
I believe that the patches can block the exploit on most computers. Yet, it would be very hard to test if the patched components work stable and without unexpected issues on most computers.:emoji_pray:[/QUOTE]

 

[Andy Ful]

Here are some interesting notes from Mitja Kolsek of 0patch:
0patch