Executive Summary

Summary
Title Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the ALPC interface
Informations
Name VU#906424 First vendor Publication 2018-08-27
Vendor VU-CERT Last vendor Modification 2018-09-13
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 7.2 Attack Range Local
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#906424

Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the ALPC interface

Original Release date: 27 Aug 2018 | Last revised: 13 Sep 2018

Overview

Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface, which can allow a local user to obtain SYSTEM privileges.

Description

The Microsoft Windows task scheduler SchRpcSetSecurity API contains a vulnerability in the handling of ALPC, which can allow an authenticated user to overwrite the contents of a file that should be protected by filesystem ACLs. This can be leveraged to gain SYSTEM privileges. We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. We have also confirmed compatibility with 32-bit Windows 10 with minor modifications to the public exploit code. Compatibility with other Windows versions is possible with further modifications.

This vulnerability is being exploited in the wild.

Impact

An authenticated local user may be able to gain elevated (SYSTEM) privileges.

Solution

Apply an update

This issue is addressed in the Microsoft update for CVE-2018-8440.

Deploy Microsoft Sysmon Detection Rules

Kevin Beaumont has provided guidance for creating rules to detect exploitation of this vulnerability.

Set ACLs on the C:\Windows\Tasks directory

Karsten Nilsen has provided a mitigation for this vulnerability. Caution: This mitigation has not been approved by Microsoft. However, in our testing it does block exploits for this vulnerability. It also appears to let scheduled tasks to continue to run, and users can continue to create new scheduled tasks as necessary. However, this change will reportedly break things created by the legacy task scheduler interface. This can include things like SCCM and the associated SCEP updates. Please ensure that you have tested this mitigation to ensure that it does not cause unacceptable consequences in your environment.

To apply this mitigation, run the following commands in an elevated-privilege prompt,:

icacls c:\windows\tasks /remove:g "Authenticated Users"
icacls c:\windows\tasks /deny system:(OI)(CI)(WD,WDAC)

Note that when a fix is made available for this vulnerability, these changes should be undone. This can be done by executing the following commands:

icacls c:\windows\tasks /remove:d system
icacls c:\windows\tasks /grant:r "Authenticated Users":(RX,WD)

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
MicrosoftAffected27 Aug 201811 Sep 2018
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base6.8AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal6.5E:F/RL:U/RC:C
Environmental6.4CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440
  • https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar
  • https://doublepulsar.com/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f
  • https://msdn.microsoft.com/en-us/library/cc248452.aspx
  • https://twitter.com/karsten_nilsen/status/1034406706879578112
  • https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/

Credit

This issue was publicly disclosed by SandboxEscaper.

This document was written by Will Dormann.

Other Information

  • CVE IDs:CVE-2018-8440
  • Date Public:27 Aug 2018
  • Date First Published:27 Aug 2018
  • Date Last Updated:13 Sep 2018
  • Document Revision:67

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/906424

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 2
Os 2
Os 1

Snort® IPS/IDS

Date Description
2018-10-09 Microsoft Windows ALPC task scheduler local privilege escalation attempt
RuleID : 47703 - Revision : 2 - Type : OS-WINDOWS
2018-10-09 Microsoft Windows ALPC task scheduler local privilege escalation attempt
RuleID : 47702 - Revision : 2 - Type : OS-WINDOWS

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
Date Informations
2018-11-29 21:21:38
  • Multiple Updates
2018-09-13 17:18:09
  • Multiple Updates
2018-09-12 00:18:44
  • Multiple Updates
2018-09-05 17:18:44
  • Multiple Updates
2018-09-04 21:19:34
  • Multiple Updates
2018-08-31 21:19:07
  • Multiple Updates
2018-08-31 00:18:26
  • Multiple Updates
2018-08-30 00:18:51
  • Multiple Updates
2018-08-29 21:18:54
  • Multiple Updates
2018-08-28 21:19:09
  • Multiple Updates
2018-08-28 17:19:10
  • Multiple Updates
2018-08-28 05:17:43
  • First insertion