Sponsored by Keepnet Labs

New Windows 10 Security Exploit Can Read All Your Files – What You Need To Know

Security Exploit
22 May
By Cyber Security, News, Security Review / Reports , , , , , , , , , , 0 Comments

New Windows 10 Security Exploit

A security researcher with a history of releasing zero-day exploits for the Windows operating system has struck again; this time just days after the latest Patch Tuesday security updates were rolled out. Which means that it’s unlikely there will be a fix for Windows 10 users until June 11 at the earliest. So what did SandboxEscaper just drop into the Windows threatscape, what are the risks and is there worse to come?

In this leak, Exploit published for Task Scheduler vulnerability let attackers perform a local privilege escalation (LPE) and gain complete control of fully patched current version of Windows 10.

Sanboxescaper concentrated with the Task Scheduler and exploited the bug in Windows 10 by calling an RPC* Function “SchRpcRegisterTask“ ( a method registers a task with the server) which is exposed by the task scheduler service.

What should you do!

1. Don’t panic! As anything that interacts with the task scheduler is going to be pretty unsubtle and fairly easy to detect
2. Most of the enterprises have MANY ADDITIONAL SECURITY CONTROLS /behaviour monitoring which will keep you “safe” 

What should you do at home ?

Ensure your security software is up to date and try do not use “cracked software” , try to stay away from unsecure web sites and make sure to not enable macros that you have received in a e-mail ( beware of phishing attacks ) 

*Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network’s details.

Technical Details 

Base on SandboxEscaper  tasks would be placed in c:\\windows\\tasks in the “.job” file format. If on windows 10 you want to import a .job file into the task scheduler you have to copy your old .job files into c:\windows\tasks and run the following command using “schtasks.exe and ‘schedsvc.dll” copied from the old system”

Attackers can run a malformed .job file that exploits a flaw in the way the Task Scheduler process changes DACL (discretionary access control list) permissions for an individual file. 

When exploited, the vulnerability can elevate a hacker’s low-privileged account to admin access, which, in turn, grants the intruder access over the entire system

SandboxEscaper also warned that She found more Zero-day’s and it’s coming on the way.

“Oh, and I have 4 more unpatched bugs where that one came from.

3 LPEs (all gaining code exec as a system, not lame delete bugs or whatever), and one sandbox escape.”

A security researcher with a history of releasing zero-day exploits for the Windows operating system has struck again; this time just days after the latest Patch Tuesday security updates were rolled out. Which means that it’s unlikely there will be a fix for Windows 10 users until June 11 at the earliest. So what did SandboxEscaper just drop into the Windows threatscape, what are the risks and is there worse to come?

What just happened?

A security researcher going by the name of SandboxEscaper has posted a proof of concept demo for a Windows zero-day exploit online. This local privilege escalation (LPE) exploit is the fifth in a series of zero-days that SandboxEscaper has dropped into the Windows environment over the last year. The latest proof of concept doesn’t enable anyone to actually access your computer, but it does provide a method by which those who do so can upgrade their system privileges to an administrator level and in so doing grant them carte blanche to your data.

SandboxEscaper has previous for using the Windows Task Scheduler tool for nefarious purposes and this latest zero-day is no exception. It uses it to import and run a malformed task file that exploits a vulnerability in the way that Task Scheduler handles discretionary access control list (DACL) rights for such files without DACL permissions; giving full control to any user rather than just the system admin. Will Dormann, a vulnerability analyst at CERT/CC, explained in a tweet that the exploit “works as-is on a fully patched Windows 10 x86 system… quickly, and 100% of the time in my testing.” It also works, according to Dormann, on a 64-bit Windows 10 computer if “you are not afraid to compile your own code.”

What was the motivation?

As mentioned, SandboxEscaper has a reputation for releasing exploit code without any prior disclosure to Microsoft. Reporting on one of these last year, Forbes contributor Marco Chiappetta suggested that “depression may have been a factor in SandboxEscaper’s decision to post the exploit” and quoted her as saying “I screwed up, not MSFT (they are actually a cool company). Depression sucks.”

However, in her latest blog postings announcing the new exploit, SandboxEscaper writes “I don’t owe society a single thing. Just want to get rich and give you f*cktards in the west the middle finger. I’m donating all my work to enemies of the U.S.” Make of that what you will. The timing is also interesting as it comes straight after the monthly Microsoft update cycle which means it leaves the window of exploit opportunity open until June 11 when the next cycle is scheduled.

 

Is there worse to come?

It appears that this isn’t going to be the last we hear from SandboxEscaper either. In that same series of blog posts, she says that she has four more unpatched zero-days. “If any non-western people want to buy LPEs,” she writes, “Won’t sell for less than 60k.” Ian Thornton-Trump, head of security at AmTrust International, told me during a conversation this morning that as far as the economics of selling exploits are concerned it’s “kind of a sh*thead move.”

You can understand why as Microsoft is known for having a pretty generous bug bounty program which enables researchers to cash in on their findings without taking the criminal route to riches. “It’s sad that folks burn the opportunity to contribute to the information security community,” Thornton-Trump said.

What can you do to mitigate the risk?

Given that it is unlikely, based on responses to the previous exploits released by SandboxEscaper, that we will see any patch to fix this zero-day until the next Patch Tuesday on June 11, what can you do to mitigate the risk? “I will tell you that anything that interacts with the task scheduler is going to be pretty unsubtle and fairly easy to detect,” Thornton-Trump advises, “probably even by Windows Defender.”

Of course, that doesn’t mean it will be an impotent threat and zero-day attacks must always be considered a very real and present danger to data. That said, Thornton-Trump isn’t panicking over this as most enterprise endpoints have many compensating security controls deployed and those should provide adequate protection.” Home users are advised to ensure their security software is up to date and take care to prevent attackers from gaining access to their systems in the first place…

As it was published in Forbes Magazine

Article from FORBES Davey Winder @happygeek

https://www.forbes.com/sites/daveywinder/2019/05/22/new-windows-10-threat-can-read-all-your-files-no-microsoft-patch-expected-before-june-11/

News :

Share this post

Author

Erdal is an Australian IT Professional with business development & management skills who focuses on securing the Cyber Space & sharing his real-life skills as a Security Adviser, Speaker, Lecturer, Author and Cybersecurity Architect.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

CYBERSECURITY SUMMIT MIDDLE EAST Dr Erdal ozkaya
24 Oct

CYBERSECURITY SUMMIT MIDDLE EAST: ZER0 TRUST & CLOUD free registration

CYBERSECURITY SUMMIT MIDDLE EAST Rising security breaches and sophisticated cyberattacks across enterprises and critical industries in the Middle East and... read more

Hacking is easy by Erdal Ozkaya
23 Feb

Hacking is easy! Don’t make it even easier for Attackers

Hacking is easy! We had Full house and 5 Star's review form the webinar I run few weeks back. If... read more

Incident Response in the age of cloudIncident Response in the age of cloud
27 Feb

New Book : Incident Response in the Age of Cloud

After many months of very hard work , finally my new book " Incident Response in the age of... read more

Network Security Administrator Erdal
06 Feb

Network Security Administrator (ENSA) Free Certification Week 3

Lecture 3: Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS) Firewalls Bastion Host and Honeypots DEMO: The use of IDS, IPS, and... read more

22 Oct

Microsoft Gulf Cybersecurity Master Class

  Microsoft Gulf Cybersecurity Master Class, it's always great to meet customers and talk about how we can help them... read more

14 Dec

Brand Protection Congress 2016 Free to join

Brand protection congress what a great event!. it was a pleasure to deliver the keynote on “Importance of Cybersecurity... read more

Kevin Mitnick Recommends Erdal Ozkaya
22 May

Kevin Mitnick recommends Learn Social Engineering by Erdal 0zkaya

Kevin Mitnick recommends Today I have received an Feedback which made me very happy. One of the very first known Social... read more

CISO Form Pakistan Dr Erdal Ozkaya
17 Apr

Security Challenges from Leaders Perspective : Free Webinar 4-21

Security Challenges from Leaders Perspective Cybersecurity Alliance Pakistan has brought leaders like Standard Chartered regional CISO , Huawei CTO together... read more

Enrolments pour in for free security course by Erdal Ozkaya
23 Jan

Enrolments pour in for free security course – 2014

Enrolments pour in for free security course IT Masters and Charles Sturt University have been flooded with enrolments for the Network... read more

The Importance of Cybersecurity
20 Jul

Importance of Cybersecurity – Part 1

Importance of Cybersecurity In this fast-paced industry, digitization and staying connected are playing a vital role. This is further coupled... read more