A hacker goes by the handle “Sandbox Escaper” which specializes in sandbox escapes and local privilege escalation exploits has released another zero-day exploit for all versions of Windows 10 which would allow them full control over the server or computer.
This latest one works by abusing Windows’ schtasks tool, designed to run programs at scheduled times, along with quirks in the operating system.
The vulnerability resides in Task Scheduler, a utility that enables Windows users to schedule the launch of programs or scripts at a predefined time or after specified time intervals.
SandboxEscaper’s exploit code makes use of SchRpcRegisterTask, a method in Task Scheduler to register tasks with the server, which doesn’t properly check for permissions and can, therefore, be used to set an arbitrary DACL (discretionary access control list) permission.
“This will result in a call to the following RPC “_SchRpcRegisterTask,” which is exposed by the task scheduler service,” SandboxEscaper said.
A malicious program or a low-privileged attacker can run a malformed .job file to obtain SYSTEM privileges, eventually allowing the attacker to gain full access to the targeted system.
The exploit code imports a legacy job file into the Windows Task Scheduler using schtasks, creating a new task, and then deletes that new task’s file from the Windows folder. Next, it creates a hard filesystem link pointing from where the new task’s file was created to pci.sys, one of Windows’ kernel-level driver files, and then runs the same schtasks command again. This clobbers pci.sys’s access permissions so that it can be modified and overwritten by the user, thus opening the door to privileged code execution.
SandboxEscaper claims to have more zero-days up her sleeve aside from this latest vulnerability: “I have four more unpatched bugs where that one came from. Three LPEs [local privilege escalations], all gaining code exec as system.
Currently there are no patches or updates available for the product.
It is recommended to closely monitor SandEscaper activities as they are responsible for publicly revealing zero days.