Security experts at 0patch released an unofficial patch to address a recently disclosed zero-day vulnerability in Windows 10 Task Scheduler.
A couple of weeks ago, researcher SandboxEscaper released a working exploit for the vulnerability, Like the Windows zero-day disclosed in August, this new issue affects Microsoft Windows Task Scheduler.
SandboxEscaper demonstrated that is possible to trigger the Windows zero-day by using malformed legacy tasks (.JOB format) and importing them in the Task Scheduler utility. and they can still be added to newer versions of the operating system.
Every JOB file is imported by the Task Scheduler with arbitrary DACL (discretionary access control list) control rights.
The experts pointed out that in the absence of the DACL, the system grants any user full access to the file.
The researcher explained that in order to trigger the flaw it is necessary to import legacy task files into the Task Scheduler on Windows 10.
“Microsoft Windows contains a privilege escalation vulnerability in the way that
Dormann was able to reproduce the issue Recompiling the code on 64-bit Windows 10 and Windows Server 2016 and 2019, only on Windows 8 and 7 it was not possible to reproduce it.
“We have confirmed that the public exploit code functions reliably on 32- and 64-bit Windows 10 platforms, as well as Windows Server 2016 and Windows Server 2019.” continues Dormann. “While Windows 8 still contains this vulnerability, exploitation using the publicly-described technique is limited to files where the current user has write access, in our testing,”
According to experts at 0patch, only legacy schtasks.exe can be abused to escalate privileges. Unlike legacy schtasks.exe, the modern Task Scheduler would require the user setting the task to modify a file to have write permissions to that file.
“After some head-scratching, we remembered that this attack only works with the legacy schtasks.exe, and not with the new one. Could it be that the old schtasks.exe was calling some other RPC function than _SchSetRpcSecurity, which then in turn called _SchSetRpcSecurity via RPC?” reads the analysis published by 0patch.
The researchers discovered that the process, which runs with attacker privileges, calls RPC endpoint taskcomp!SASetAccountInformation in Task Scheduler’s process svchost.exe (running as Local System), which in turn calls RPC endpoint schedsvc!_SchRpcSetSecurity in the same svchost.exe (still running as Local System).
Experts discovered that taskcomp.dll has Local System privileges and impersonates self (Local System) to enable the SeRestorePrivilege privilege that is needed for it to set DACL and ownership on any file.
“We therefore decided to replace self-impersonation with client-impersonation, and to do that, we removed the call to ImpersonateSalfWithPrivilege and injected a call to RpcImpersonateClient in its place.”
Unfortunately, the exploit was still working because another RPC call was made to SchRpcSetSecurityin taskcomp.dll when the first RPC call fails. Then the experts at 0patch completely removed the call to SetSecurity.
“After that, we got the desired behavior: The legacy schtasks.exe was behaving correctly when creating a new task from a job file, and […] the hard link trick no longer worked because the Task Scheduler process correctly identified the caller and determined that it doesn’t have sufficient permissions to change DACL or ownership on a system file,” continues 0patch.
0patch released a micropatch to address the vulnerability on all Windows 10 systems running the 0patch Agent. Researchers explained that the micropatch does not modify schedsvc.dll, this means that non-legacy Task Scheduler is not affected.
“As always, if you have 0patch Agent installed and registered, this
“Following our guidelines on which patches to provide for free, this micropatch affects many home and education users, and is therefore included in both FREE and PRO 0patch license until Microsoft provides an official fix. After that the micropatch will only be included in the PRO license.”
The micropatch released 0patch works on fully updated: