Critical Privilege Escalation Flaw: The Windows Task Scheduler Zero Day Vulnerability
About the vulnerability:
- A security researcher with his twitter handle named SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler.
- The issue exists in the SchRpcSetSecurity API function, which fails to properly check user's permissions, allowing WRITE privileges on files in C:\Windows\Task.
- The vulnerability affects Windows versions 7 through 10 and can be used by an attacker to escalate their privileges to all-access SYSTEM account level.
- This vulnerability is being exploited in the wild.
Workaround:
Microsoft did not patch the ALPC bug to this day, but it is expected to release a fix this Patch Tuesday, on September 11.
Using the Script Repository of Desktop Central, you can run a script to change permissions of the folder C:\Windows\Task:
1. Navigate to Desktop Central -> Configurations -> Script Repository -> Templates.
2. Search for the 'TaskSchedulerLocalPrivelilegeEscalationTemporaryFix.bat'.
3. Deploy the script to all your Windows machines with versions 7 through 10.
The following commands will run as part of the script:
- icacls c:\windows\tasks /remove:g "Authenticated Users"
- icacls c:\windows\tasks /deny system:(OI)(CI)(WD,WDAC)
4.
Once the patch is released for this particular vulnerability, go ahead and run the 'TaskSchedulerLocalPrivilegeEscalationFixRevert.bat' script to revoke the settings.
The following commands will be executed:
- icacls c:\windows\tasks /remove:d system
- icacls c:\windows\tasks /grant:r "Authenticated Users":(RX,WD)