A zero-day flaw has been revealed by a Twitter user SandboxEscaper, for the Windows Task Scheduler in 64-bit Windows 10 and Windows Server 2016 systems. Apparently, this vulnerability is out in the wild, and there are no known patches or specific workarounds at present.
US-CERT has confirmed that the exploit works on 64-bit Windows 10 and Windows Server 2016 systems and is rooted in the Windows task scheduler.
In an angry Twitter post, SandboxEscaper also released a proof of concept to go along with the bug.
Here is the alpc bug as 0day: https://t.co/m1T3wDSvPX I don’t fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.
— SandboxEscaper (@SandboxEscaper) August 27, 2018
The nature of the tweet suggests that he had a bad experience with Microsoft while trying to submit either this bug or previous bugs to the company — which ultimately lead him to choose Twitter to disclose this serious vulnerability publicly.
How does it work?
Researcher Kevin Beaumont has given a breakdown of the exploit in a blog post.
“This exploit misuses SchRpcSetSecurity to alter permissions (I wouldn’t recommend running it a live system by the way) to allow a hard link to be created, and then calls a print job using XPS printer (installed with Windows XP Service Pack 2+) to call the hijack DLL as SYSTEM (via the Spooler process).”
Microsoft Windows has a ‘task scheduler’ function that gives users the ability to schedule execution of programs at pre-decided times. The ALPC interface in it is basically a process communication facility used by OS components in Windows for message-transferring.
Here, a part of this interface termed SchRpcSetSecurity is open for access so anyone can set local file permissions through it. Since the API function of ALPC does not check permissions, any potential local bad actor can alter them to gain escalated privileges.
In response to this incident, Microsoft stated to The Register that it would “proactively update impacted devices as soon as possible.” A fix for this issue will most likely arrive on Microsoft’s next Patch Tuesday that is scheduled for September 11.
