Friday, December 6, 2024
HomeComputer SecurityHacker Leaked New Unpatched Windows 10 Task Scheduler Zero-day POC Exploit Online

Hacker Leaked New Unpatched Windows 10 Task Scheduler Zero-day POC Exploit Online

Published on

SIEM as a Service

An anonymous hacker leaked a new Windows zero-day Proofs-of-concept online that exploit the vulnerability resides in the Windows Task Scheduler.

Sanboxescaper, a pseudonym of an unknown hacker who is known for frequently leaking Windows zero-day bugs online, and this is a fifth zero-day bug (1, 2, 3, 4 ) that has been leaked in a year since August 2018.

In this leak, Exploit published for Task Scheduler vulnerability let attackers perform a local privilege escalation (LPE) and gain complete control of fully patched current version of Windows 10.

- Advertisement - SIEM as a Service

Task Scheduler is a component of Microsoft Windows that provides the ability to schedule the launch of programs or scripts at pre-defined times or after specified time intervals.

Sanboxescaper concentrated with the Task Scheduler and exploited the bug in Windows 10 by calling an RPC Function SchRpcRegisterTask( a method registers a task with the server) which is exposed by the task scheduler service.

Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network’s details.

It can be achieved by import legacy task files (“.job” file format) with arbitrary DACL Writes from other systems to Windows 10 Task Scheduler.

Arbitrary DACL writes allow a low-privileged user to change the system permissions, eventually, a local user gains complete control of the system.

Sandbox escaper explains, “For example, In the old days (i.e windows xp) tasks would be placed in c:\\windows\\tasks in the “.job” file format.

“If on windows 10 you want to import a .job file into the task scheduler you have to copy your old .job files into c:\windows\tasks and run the following command using “schtasks.exe and ‘schedsvc.dll” copied from the old system”

“I assume that to trigger this bug you can just call into this function directly without using that schtasks.exe copied from windows xp.. but I am not great at reversing”

Will Dormann, a Security researcher from US Cert Tested the exploit and confirms that the exploit is 100% working against fully patched Windows 10.

Mitja Kolsek, Co-Founder of 0patch, tested this zero-day and confirmed that “this 0day from SandboxEscaper to work on fully updated Windows 10. The DACL of any chosen file gets altered so that the provided user can arbitrarily modify it.”

This is not an end of Zero-day Leak

SandboxEscaper also warned that She found more Zero-day’s and it’s coming on the way.

“Oh, and I have 4 more unpatched bugs where that one came from.
3 LPEs (all gaining code exec as a system, not lame delete bugs or whatever), and one sandbox escape.”

Also, she said “If any non-western people want to buy LPEs, let me know. (Windows LPE only, not doing any other research nor interested in doing so). Won’t sell for less than 60k for an LPE.”|

“I don’t owe society a single thing. Just want to get rich and give you fucktards in the west the middle finger.”

There is no patch available for this Zero-day Vulnerability at this moment, But we can expect Microsoft to patch this flaw and release an update in next patch Tuesday update on June 12, 2019.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...