Mysterious woman-hacker published exploit for increasing vulnerability of rights increase in Windows 10

On GitHub published PoC-code for vulnerability of privileges increase in Windows 10 that affects Windows Task Scheduler.

Despite vulnerabilities of rights’ shift do not allow hacking the system, attackers can use them on further stages to rise privileges from low level to level of administrator.

According to vulnerability description, published on GitHub, this bug is linked with the way Task Scheduler changes DACL extensions (Discretionary Access Control List, list of selective access management) for separate files.

Vulnerability allows attacker to rise rights on the system to administrator’s level and can be exploited with the use of specially formed .job file.

PoC–code published famous Internet-security expert SandboxEscaper. According to her words, exploit was tested on 32-bit Windows 10 systems, but, in theory, with certain adjustments can work on Windows XP and Server 2003 powered machines.

“That what starts with limited privileges ends up with SYSTEM rights when a particular function is encountered”, — said SandboxEscaper.

Old twitter post. Now SandboxEscaper microblog blocked.
Old twitter post. Now SandboxEscaper microblog blocked.

Will Dormann, a vulnerability analyst at CERT/CC checked exploit’s code and confirmed that is works without changes in improved Windows 10×86 with 100% success. For working with 64-bit Windows 10 it is necessary to recompile a code.

“The exploit calls the code once, deletes the file, and then calls it again with an NTFS hard link pointing to the file that gets permissions clobbered with SetSecurityInfo()”, — Will Dormann told.

For Windows 7 and 8 exploit does not work.

SandboxEscaper wrote in her blog that she has four more undisclosed 0-day bugs for Windows, but she wants to sale them to “non-western” companies and interested partied for $60 000.

“I don’t owe society a single thing. Just want to get rich and give you *** in the west the middlefinger”, — said SandboxEscaper.


About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

MageCart on the Heroku Cloud Platform

Researchers Found Several MageCart Web Skimmers On Heroku Cloud Platform

Researchers at Malwarebytes reported about finding several MageCart web skimmers on the Heroku cloud platform …

Android Spyware CallerSpy

CallerSpy spyware masks as an Android chat application

Trend Micro experts discovered the malware CallerSpy, which masks as an Android chat application and, …

Leave a Reply