Hacker Leaked New Unpatched Windows 10 Task Scheduler Zero-day POC Exploit Online

An anonymous hacker leaked a new Windows zero-day Proofs-of-concept online that exploit the vulnerability resides in the Windows Task Scheduler.

Sanboxescaper, a pseudonym of an unknown hacker who is known for frequently leaking Windows zero-day bugs online, and this is a fifth zero-day bug (1, 2, 3, 4 ) that has been leaked in a year since August 2018.

In this leak, Exploit published for Task Scheduler vulnerability let attackers perform a local privilege escalation (LPE) and gain complete control of fully patched current version of Windows 10.

Task Scheduler is a component of Microsoft Windows that provides the ability to schedule the launch of programs or scripts at pre-defined times or after specified time intervals.

Sanboxescaper concentrated with the Task Scheduler and exploited the bug in Windows 10 by calling an RPC Function SchRpcRegisterTask( a method registers a task with the server) which is exposed by the task scheduler service.

Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network’s details.

It can be achieved by import legacy task files (“.job” file format) with arbitrary DACL Writes from other systems to Windows 10 Task Scheduler.

Arbitrary DACL writes allow a low-privileged user to change the system permissions, eventually, a local user gains complete control of the system.

Sandbox escaper explains, “For example, In the old days (i.e windows xp) tasks would be placed in c:\\windows\\tasks in the “.job” file format.

“If on windows 10 you want to import a .job file into the task scheduler you have to copy your old .job files into c:\windows\tasks and run the following command using “schtasks.exe and ‘schedsvc.dll” copied from the old system”

“I assume that to trigger this bug you can just call into this function directly without using that schtasks.exe copied from windows xp.. but I am not great at reversing”

Will Dormann, a Security researcher from US Cert Tested the exploit and confirms that the exploit is 100% working against fully patched Windows 10.

Mitja Kolsek, Co-Founder of 0patch, tested this zero-day and confirmed that “this 0day from SandboxEscaper to work on fully updated Windows 10. The DACL of any chosen file gets altered so that the provided user can arbitrarily modify it.”

This is not an end of Zero-day Leak

SandboxEscaper also warned that She found more Zero-day’s and it’s coming on the way.

“Oh, and I have 4 more unpatched bugs where that one came from.
3 LPEs (all gaining code exec as a system, not lame delete bugs or whatever), and one sandbox escape.”

Also, she said “If any non-western people want to buy LPEs, let me know. (Windows LPE only, not doing any other research nor interested in doing so). Won’t sell for less than 60k for an LPE.”|

“I don’t owe society a single thing. Just want to get rich and give you fucktards in the west the middle finger.”

There is no patch available for this Zero-day Vulnerability at this moment, But we can expect Microsoft to patch this flaw and release an update in next patch Tuesday update on June 12, 2019.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

56 minutes ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

2 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

2 hours ago

Massive Credit Card Leak, Database of 1,221,551 Cards Circulating on Dark Web

A massive data breach has sent shockwaves across the globe, as a database containing sensitive…

4 hours ago

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…

2 days ago

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

3 days ago