On GitHub published PoC-code for vulnerability of privileges increase in Windows 10 that affects Windows Task Scheduler.Despite vulnerabilities of rights’ shift do not allow hacking the system, attackers can use them on further stages to rise privileges from low level to level of administrator.
According to vulnerability description, published on GitHub, this bug is linked with the way Task Scheduler changes DACL extensions (Discretionary Access Control List, list of selective access management) for separate files.
Vulnerability allows attacker to rise rights on the system to administrator’s level and can be exploited with the use of specially formed .job file.
PoC–code published famous Internet-security expert SandboxEscaper. According to her words, exploit was tested on 32-bit Windows 10 systems, but, in theory, with certain adjustments can work on Windows XP and Server 2003 powered machines.
“That what starts with limited privileges ends up with SYSTEM rights when a particular function is encountered”, — said SandboxEscaper.
Will Dormann, a vulnerability analyst at CERT/CC checked exploit’s code and confirmed that is works without changes in improved Windows 10×86 with 100% success. For working with 64-bit Windows 10 it is necessary to recompile a code.
“The exploit calls the code once, deletes the file, and then calls it again with an NTFS hard link pointing to the file that gets permissions clobbered with SetSecurityInfo()”, — Will Dormann told.
For Windows 7 and 8 exploit does not work.
SandboxEscaper wrote in her blog that she has four more undisclosed 0-day bugs for Windows, but she wants to sale them to “non-western” companies and interested partied for $60 000.
“I don’t owe society a single thing. Just want to get rich and give you *** in the west the middlefinger”, — said SandboxEscaper.