ESB-2018.2558 - [Win] Microsoft Windows Task Scheduler: Administrator compromise - Existing account 2018-08-30

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2558
                       Vulnerability Note VU#906424
                              30 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Windows Task Scheduler
Operating System:  Windows
Impact/Access:     Administrator Compromise -- Existing Account
Resolution:        None

Original Bulletin: 
   https://www.kb.cert.org/vuls/id/906424

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#906424

Microsoft Windows task scheduler contains a local privilege escalation
vulnerability in the ALPC interface

Original Release date: 27 Aug 2018 | Last revised: 29 Aug 2018

Overview

Microsoft Windows task scheduler contains a local privilege escalation
vulnerability in the Advanced Local Procedure Call (ALPC) interface, which can
allow a local user to obtain SYSTEM privileges.

Description

The Microsoft Windows task scheduler SchRpcSetSecurity API contains a
vulnerability in the handling of ALPC, which can allow a local user to gain
SYSTEM privileges. We have confirmed that the public exploit code works on
64-bit Windows 10 and Windows Server 2016 systems. We have also confirmed
compatibility with 32-bit Windows 10 with minor modifications to the public
exploit code. Compatibility with other Windows versions is possible with
further modifications.

Impact

A local user may be able to gain elevated (SYSTEM) privileges.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

 Vendor    Status  Date Notified Date Updated
Microsoft Affected 27 Aug 2018   27 Aug 2018

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

    Group     Score            Vector
Base          6.8   AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal      6.5   E:F/RL:U/RC:C
Environmental 6.4   CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  o https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar
  o https://doublepulsar.com/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f
  o https://msdn.microsoft.com/en-us/library/cc248452.aspx

Credit

This issue was publicly disclosed by SandboxEscaper.

This document was written by Will Dormann.

Other Information

  o CVE IDs: Unknown
  o Date Public: 27 Aug 2018
  o Date First Published: 27 Aug 2018
  o Date Last Updated: 29 Aug 2018
  o Document Revision: 23

Feedback

If you have feedback, comments, or additional information about this
vulnerability, please send us email.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW4c0/2aOgq3Tt24GAQj1Pw//aD6M1Wzoov2AFEXK3tObcaElMXsh2n6r
2c9u+xBPRTVWSpXPQUcklcR8LWDTveGP3dUpRf4RX7DiYdOV8YNSDvn8FuRpT7uF
MLkakmaYGdxojuQ0AuQoqDTR0dTLCWKKC3JOUsVmLsLF3Kyltf0UdiBdwcGi6zZs
XXl6tSDyxHtq3HW4DIrY1ErKjt10Qa3yKp0bmMJ/hihtLpBf858boApp7Ct5Apf6
y3EGDMfJS6/kVvcua+rLdu25cw6B2ARm0YaGHWbBv10FVPWYWnzOq4RKOz7hiFQ+
q87zFnXid7N7IfZR22WGX3TVgrMY4r+cU62wlF6eGsJuUH+0hDu7QbanPn/z0aF3
oC7epxol9uOQ2zMKBynYDNA63bXlRi/wg4SXtaf938z669jPt/bY/3vm1MMcVLGu
J0iEjxbUGmtCW33UxGA+eNu5wcgUi/O7Wgy1BmuqUGq9ZtySDNaKvz6DdGEJgme0
/GmNutUN38+jZBCnagGYw3nBZjDKUmJg+ICF1EoeGHyNirD7jSJs+GQ04ZSWEjFM
mJMX/2yaxeiFeJut8G9w0k/S96T99wdI7wu90MTGOEmBSSUOBo4ZApY229CqS4Mr
JGC5DLuRvSWNN4xSt/l2+AuxCvj5VscAo+gILlkUnQgM8YnhVvrixyoDHZG4D/sS
LIiBwDtClVo=
=ttP+
-----END PGP SIGNATURE-----

« Back to bulletins