An unofficial patch has been released for a recently disclosed zero-day vulnerability in Windows 10’s Task Scheduler.
An exploit for the vulnerability was posted online a couple of weeks ago by a security researcher who is using the online handle of SandboxEscaper and who has a history of revealing unpatched bugs in Microsoft’s operating system.
The issue is related to discretionary access control lists (DACL) and the Task Scheduler and was confirmed to work on fully patched Windows 10 systems, including 64-bit architectures.
An attacker could exploit the flaw locally to escalate privileges to System level. Essentially, the vulnerability allows the attacker to change permissions for any file by using schtasks to import a .job file into the Task Scheduler.
The vulnerability, however, could only be triggered using legacy schtasks.exe, which can be easily imported from Windows XP.
“We have confirmed that the public exploit code functions reliably on 32- and 64-bit Windows 10 platforms, as well as Windows Server 2016 and Windows Server 2019. While Windows 8 still contains this vulnerability, exploitation using the publicly-described technique is limited to files where the current user has write access, in our testing,” CERT/CC’s Will Dormann explains in a vulnerability note.
The published proof-of-concept code was designed to change the permissions on the pci.sys file by modifying its ownership. Normally owned by TrustedInstaller, the exploit allows the attacker to freely modify the file.
While analyzing the manner in which the exploit works, 0patch’s security researchers discovered that only legacy schtasks.exe can be abused to escalate privileges, as the modern Task Scheduler would require the user setting the task to modify a file to have write permissions to that file.
In case of the old schtasks.exe, the process, which runs with attacker privileges, “calls RPC endpoint taskcomp!SASetAccountInformation in Task Scheduler’s process svchost.exe (running as Local System), which in turn calls RPC endpoint schedsvc!_SchRpcSetSecurity in the same svchost.exe (still running as Local System),” the researchers explain.
Thus, since taskcomp.dll has Local System privileges and impersonates self, the last call is made with the same System privileges, which allows for the setting of DACL and ownership on any file.
To address the issue, the 0patch team “decided to replace self-impersonation with client-impersonation, and to do that, we removed the call to ImpersonateSalfWithPrivilege and injected a call to RpcImpersonateClient in its place.”
However, the exploit still worked, because another RPC call was made to SchRpcSetSecurity in taskcomp.dll in the event the first one was unsuccessful. Thus, the team decided to remove the call to SetSecurity entirely.
“After that, we got the desired behavior: The legacy schtasks.exe was behaving correctly when creating a new task from a job file, and […] the hard link trick no longer worked because the Task Scheduler process correctly identified the caller and determined that it doesn’t have sufficient permissions to change DACL or ownership on a system file,” 0patch’s Simon Raner and Mitja Kolsek explain.
The 0patch security researchers have released a micropatch to address the vulnerability on all Windows 10 systems running the 0patch Agent. The patch does not modify schedsvc.dll, meaning that the functionality of the new, non-legacy Task Scheduler is not affected at all.
Contacted by SecurityWeek for comment on the vulnerability, Microsoft said that it is committed to deliver updates to impacted devices as soon as possible. What remains to be seen is whether an official fix will be included in next week’s set of security updates.