Sponsored by Keepnet Labs

New Windows 10 Security Exploit Can Read All Your Files – What You Need To Know

Security Exploit
22 May
By Cyber Security, News, Security Review / Reports , , , , , , , , , , 0 Comments

New Windows 10 Security Exploit

A security researcher with a history of releasing zero-day exploits for the Windows operating system has struck again; this time just days after the latest Patch Tuesday security updates were rolled out. Which means that it’s unlikely there will be a fix for Windows 10 users until June 11 at the earliest. So what did SandboxEscaper just drop into the Windows threatscape, what are the risks and is there worse to come?

In this leak, Exploit published for Task Scheduler vulnerability let attackers perform a local privilege escalation (LPE) and gain complete control of fully patched current version of Windows 10.

Sanboxescaper concentrated with the Task Scheduler and exploited the bug in Windows 10 by calling an RPC* Function “SchRpcRegisterTask“ ( a method registers a task with the server) which is exposed by the task scheduler service.

What should you do!

1. Don’t panic! As anything that interacts with the task scheduler is going to be pretty unsubtle and fairly easy to detect
2. Most of the enterprises have MANY ADDITIONAL SECURITY CONTROLS /behaviour monitoring which will keep you “safe” 

What should you do at home ?

Ensure your security software is up to date and try do not use “cracked software” , try to stay away from unsecure web sites and make sure to not enable macros that you have received in a e-mail ( beware of phishing attacks ) 

*Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network’s details.

Technical Details 

Base on SandboxEscaper  tasks would be placed in c:\\windows\\tasks in the “.job” file format. If on windows 10 you want to import a .job file into the task scheduler you have to copy your old .job files into c:\windows\tasks and run the following command using “schtasks.exe and ‘schedsvc.dll” copied from the old system”

Attackers can run a malformed .job file that exploits a flaw in the way the Task Scheduler process changes DACL (discretionary access control list) permissions for an individual file. 

When exploited, the vulnerability can elevate a hacker’s low-privileged account to admin access, which, in turn, grants the intruder access over the entire system

SandboxEscaper also warned that She found more Zero-day’s and it’s coming on the way.

“Oh, and I have 4 more unpatched bugs where that one came from.

3 LPEs (all gaining code exec as a system, not lame delete bugs or whatever), and one sandbox escape.”

A security researcher with a history of releasing zero-day exploits for the Windows operating system has struck again; this time just days after the latest Patch Tuesday security updates were rolled out. Which means that it’s unlikely there will be a fix for Windows 10 users until June 11 at the earliest. So what did SandboxEscaper just drop into the Windows threatscape, what are the risks and is there worse to come?

What just happened?

A security researcher going by the name of SandboxEscaper has posted a proof of concept demo for a Windows zero-day exploit online. This local privilege escalation (LPE) exploit is the fifth in a series of zero-days that SandboxEscaper has dropped into the Windows environment over the last year. The latest proof of concept doesn’t enable anyone to actually access your computer, but it does provide a method by which those who do so can upgrade their system privileges to an administrator level and in so doing grant them carte blanche to your data.

SandboxEscaper has previous for using the Windows Task Scheduler tool for nefarious purposes and this latest zero-day is no exception. It uses it to import and run a malformed task file that exploits a vulnerability in the way that Task Scheduler handles discretionary access control list (DACL) rights for such files without DACL permissions; giving full control to any user rather than just the system admin. Will Dormann, a vulnerability analyst at CERT/CC, explained in a tweet that the exploit “works as-is on a fully patched Windows 10 x86 system… quickly, and 100% of the time in my testing.” It also works, according to Dormann, on a 64-bit Windows 10 computer if “you are not afraid to compile your own code.”

What was the motivation?

As mentioned, SandboxEscaper has a reputation for releasing exploit code without any prior disclosure to Microsoft. Reporting on one of these last year, Forbes contributor Marco Chiappetta suggested that “depression may have been a factor in SandboxEscaper’s decision to post the exploit” and quoted her as saying “I screwed up, not MSFT (they are actually a cool company). Depression sucks.”

However, in her latest blog postings announcing the new exploit, SandboxEscaper writes “I don’t owe society a single thing. Just want to get rich and give you f*cktards in the west the middle finger. I’m donating all my work to enemies of the U.S.” Make of that what you will. The timing is also interesting as it comes straight after the monthly Microsoft update cycle which means it leaves the window of exploit opportunity open until June 11 when the next cycle is scheduled.

 

Is there worse to come?

It appears that this isn’t going to be the last we hear from SandboxEscaper either. In that same series of blog posts, she says that she has four more unpatched zero-days. “If any non-western people want to buy LPEs,” she writes, “Won’t sell for less than 60k.” Ian Thornton-Trump, head of security at AmTrust International, told me during a conversation this morning that as far as the economics of selling exploits are concerned it’s “kind of a sh*thead move.”

You can understand why as Microsoft is known for having a pretty generous bug bounty program which enables researchers to cash in on their findings without taking the criminal route to riches. “It’s sad that folks burn the opportunity to contribute to the information security community,” Thornton-Trump said.

What can you do to mitigate the risk?

Given that it is unlikely, based on responses to the previous exploits released by SandboxEscaper, that we will see any patch to fix this zero-day until the next Patch Tuesday on June 11, what can you do to mitigate the risk? “I will tell you that anything that interacts with the task scheduler is going to be pretty unsubtle and fairly easy to detect,” Thornton-Trump advises, “probably even by Windows Defender.”

Of course, that doesn’t mean it will be an impotent threat and zero-day attacks must always be considered a very real and present danger to data. That said, Thornton-Trump isn’t panicking over this as most enterprise endpoints have many compensating security controls deployed and those should provide adequate protection.” Home users are advised to ensure their security software is up to date and take care to prevent attackers from gaining access to their systems in the first place…

As it was published in Forbes Magazine

Article from FORBES Davey Winder @happygeek

https://www.forbes.com/sites/daveywinder/2019/05/22/new-windows-10-threat-can-read-all-your-files-no-microsoft-patch-expected-before-june-11/

News :

Share this post

Author

Erdal is an Australian IT Professional with business development & management skills who focuses on securing the Cyber Space & sharing his real-life skills as a Security Adviser, Speaker, Lecturer, Author and Cybersecurity Architect.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Australian Information Security Association Erdal Ozkaya
14 Oct

Australian Information Security Association Keynote 2010

Australian Information Security Association This year the Australian Information Security Association is organizing the annual ASIA conference again, and I... read more

29 Aug

Leaked Australian Passports in G00GLE

Leaked Australian Passports in Google This is a post which I wrote while I was teaching EC Council’s famous Certified... read more

Rochester Institute of Technology
28 Mar

Rochester Institute of Technology Community Meetup – Join us for FREE

Special thanks to the Rochester Institute of Technology for their great hospitality. It was great to speak to young... read more

The Importance of Cybersecurity
20 Jul

Importance of Cybersecurity – Part 1

Importance of Cybersecurity In this fast-paced industry, digitization and staying connected are playing a vital role. This is further coupled... read more

Incident Response in the age of cloudIncident Response in the age of cloud
27 Feb

New Book : Incident Response in the Age of Cloud

After many months of very hard work , finally my new book " Incident Response in the age of... read more

16 Nov

New Book coming soon

I'm very pleased to announce that my friend Yuri Diogenes and I signed a contract with Packt Publishing to... read more

hackers mindset
12 Apr

Understanding hackers mindset in 2021

Understanding hackers mindset in 2021 There has been an accelerated growth of cybercrime over the last decade. Costs related to... read more

13 Sep

Effective cybersecurity requires participation from all

Ask a random person on the street what cybersecurity means to him or her, and you might get... read more

Hey! You! Get off my Network!
16 May

Hey! You! Get off my Network! Great session at MSTE 11

Hey! You! Get off my Network! Unbelievable , more then 2000 Microsoft TechEd North America attendees joined my session where... read more

update on the current cyber security threat profile
20 Mar

Erdal’s update on the current cyber security threat profile Free Webinar :

update on the current cyber security threat profile Join Microsoft #Cybersecurity Architect Dr Erdal Ozkaya tonight (7-8:30pm AEST) to hear... read more