New Windows 10 Security Exploit
A security researcher with a history of releasing zero-day exploits for the Windows operating system has struck again; this time just days after the latest Patch Tuesday security updates were rolled out. Which means that it’s unlikely there will be a fix for Windows 10 users until June 11 at the earliest. So what did SandboxEscaper just drop into the Windows threatscape, what are the risks and is there worse to come?
In this leak, Exploit published for Task Scheduler vulnerability let attackers perform a local privilege escalation (LPE) and gain complete control of fully patched current version of Windows 10.
Sanboxescaper concentrated with the Task Scheduler and exploited the bug in Windows 10 by calling an RPC* Function “SchRpcRegisterTask“ ( a method registers a task with the server) which is exposed by the task scheduler service.
What should you do!
Table of Contents
1. Don’t panic! As anything that interacts with the task scheduler is going to be pretty unsubtle and fairly easy to detect
2. Most of the enterprises have MANY ADDITIONAL SECURITY CONTROLS /behaviour monitoring which will keep you “safe”
What should you do at home ?
Ensure your security software is up to date and try do not use “cracked software” , try to stay away from unsecure web sites and make sure to not enable macros that you have received in a e-mail ( beware of phishing attacks )
*Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network’s details.
Technical Details
Base on SandboxEscaper tasks would be placed in c:\\windows\\tasks in the “.job” file format. If on windows 10 you want to import a .job file into the task scheduler you have to copy your old .job files into c:\windows\tasks and run the following command using “schtasks.exe and ‘schedsvc.dll” copied from the old system”
Attackers can run a malformed .job file that exploits a flaw in the way the Task Scheduler process changes DACL (discretionary access control list) permissions for an individual file.
When exploited, the vulnerability can elevate a hacker’s low-privileged account to admin access, which, in turn, grants the intruder access over the entire system
SandboxEscaper also warned that She found more Zero-day’s and it’s coming on the way.
“Oh, and I have 4 more unpatched bugs where that one came from.
3 LPEs (all gaining code exec as a system, not lame delete bugs or whatever), and one sandbox escape.”
A security researcher with a history of releasing zero-day exploits for the Windows operating system has struck again; this time just days after the latest Patch Tuesday security updates were rolled out. Which means that it’s unlikely there will be a fix for Windows 10 users until June 11 at the earliest. So what did SandboxEscaper just drop into the Windows threatscape, what are the risks and is there worse to come?
What just happened?
A security researcher going by the name of SandboxEscaper has posted a proof of concept demo for a Windows zero-day exploit online. This local privilege escalation (LPE) exploit is the fifth in a series of zero-days that SandboxEscaper has dropped into the Windows environment over the last year. The latest proof of concept doesn’t enable anyone to actually access your computer, but it does provide a method by which those who do so can upgrade their system privileges to an administrator level and in so doing grant them carte blanche to your data.
SandboxEscaper has previous for using the Windows Task Scheduler tool for nefarious purposes and this latest zero-day is no exception. It uses it to import and run a malformed task file that exploits a vulnerability in the way that Task Scheduler handles discretionary access control list (DACL) rights for such files without DACL permissions; giving full control to any user rather than just the system admin. Will Dormann, a vulnerability analyst at CERT/CC, explained in a tweet that the exploit “works as-is on a fully patched Windows 10 x86 system… quickly, and 100% of the time in my testing.” It also works, according to Dormann, on a 64-bit Windows 10 computer if “you are not afraid to compile your own code.”
What was the motivation?
As mentioned, SandboxEscaper has a reputation for releasing exploit code without any prior disclosure to Microsoft. Reporting on one of these last year, Forbes contributor Marco Chiappetta suggested that “depression may have been a factor in SandboxEscaper’s decision to post the exploit” and quoted her as saying “I screwed up, not MSFT (they are actually a cool company). Depression sucks.”
However, in her latest blog postings announcing the new exploit, SandboxEscaper writes “I don’t owe society a single thing. Just want to get rich and give you f*cktards in the west the middle finger. I’m donating all my work to enemies of the U.S.” Make of that what you will. The timing is also interesting as it comes straight after the monthly Microsoft update cycle which means it leaves the window of exploit opportunity open until June 11 when the next cycle is scheduled.
Is there worse to come?
It appears that this isn’t going to be the last we hear from SandboxEscaper either. In that same series of blog posts, she says that she has four more unpatched zero-days. “If any non-western people want to buy LPEs,” she writes, “Won’t sell for less than 60k.” Ian Thornton-Trump, head of security at AmTrust International, told me during a conversation this morning that as far as the economics of selling exploits are concerned it’s “kind of a sh*thead move.”
You can understand why as Microsoft is known for having a pretty generous bug bounty program which enables researchers to cash in on their findings without taking the criminal route to riches. “It’s sad that folks burn the opportunity to contribute to the information security community,” Thornton-Trump said.
What can you do to mitigate the risk?
Given that it is unlikely, based on responses to the previous exploits released by SandboxEscaper, that we will see any patch to fix this zero-day until the next Patch Tuesday on June 11, what can you do to mitigate the risk? “I will tell you that anything that interacts with the task scheduler is going to be pretty unsubtle and fairly easy to detect,” Thornton-Trump advises, “probably even by Windows Defender.”
“Of course, that doesn’t mean it will be an impotent threat and zero-day attacks must always be considered a very real and present danger to data. That said, Thornton-Trump isn’t panicking over this as most enterprise endpoints have many compensating security controls deployed and those should provide adequate protection.” Home users are advised to ensure their security software is up to date and take care to prevent attackers from gaining access to their systems in the first place…
As it was published in Forbes Magazine
Article from FORBES Davey Winder @happygeek
Leave a Reply