Advisory | Microsoft Zero Day – Windows Task Scheduler Local Privilege Escalation Vulnerability
Introduction to Microsoft Zero Day Vulnerability
A previously unknown zero day vulnerability has been disclosed in the Microsoft’s Windows operating system that could help a local user or malicious program to obtain system privileges on the targeted machine.
The vulnerability is a privilege escalation issue which resides in the Windows’ task scheduler program and occurred due to errors in the handling of Advanced Local Procedure Call (ALPC) systems.
Advanced local procedure call (ALPC) is an internal mechanism, available only to Windows operating system components, that facilitates high-speed and secure data transfer between one or more processes in the user mode.
Exploit for this vulnerability has been shared by a hacker named “SandboxEscaper” and the exploit code is currently available on public repositories like GitHub. However the current exploit works only in windows 64 bit operating systems. For a complete solution, we have to wait for Microsoft to respond until the scheduled September 11 Patch.
Affected Versions
1) Windows 10
2) Windows Server 2016
The exploit would need modifications to work on operating systems other than 64-bit (i.e., 32-bit OS). Also it hard codes prnms003 driver, which doesn’t exist in certain versions (e.g. on Windows 7 it can be prnms001). Compatibility with other windows versions may be possible with modification of the publicly available exploit source code.
How to Detect?
It is possible that the original windows processes can be replaced with the malicious program shared by the hacker. So we can detect those exploits by checking whether the original windows processes have been replaced.
- Look for spoolsv.exe under abnormal processes (or another Spooler exploit).
- Look for connhost.exe under abnormal processes (e.g. the Print Spooler).
Spoolsv.exe:
It is called Windows Print Spooler. This service spools print jobs and handles interaction with the printer. By disabling the Windows Print Spooler service you wouldn’t be able to print more than one document at a time, and any documents not immediately sent to the printer wouldn’t print.
Risk: If you turn off this service, you won’t be able to print or see your printers.
Fig: Checking for suspicious processes
Connhost.exe:
It is called Console Windows Host. This service is present in Windows 10 and using this, windows command prompt can show the same window frame like the other programs. It also allows you to operate the cmd prompt and users to drag and drop a file directly into it. This Microsoft Console Host program resides in “C:\Windows\System32” and should not be removed.
This process is closely related to windows CSRSS(Client Server Runtime System Service) a protected process you can’t terminate, which is responsible for console windows and the shutdown process, which are critical functions in Windows.
Risk: If you turn off this service, windows CSRSS service will also crash because conhost.exe runs under csrss.exe, so there is a high chance for the system to become unusable or shutdown.
Fig: Checking for suspicious processes
Recommendations for Microsoft Zero Day Vulnerability
- Do not remove/disable any original system processes without confirmation.
- Monitor and block any local users from gaining administrator privileges by using SIEM tools.
- Detect all the malicious processes by the name of genuine ones by using Behavioral Analysis.
- Network traffic analytics should continue to be used to detect anomalous traffic going across the network and to spot where users are behaving in a way that they historically don’t.
References
- https://www.kb.cert.org/vuls/id/906424
- https://doublepulsar.com/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f
- https://threatpost.com/microsoft-windows-zero-day-found-in-task-scheduler/136977/
Author,
I savor, result in I discovered exactly what I was having a look for.
You have ended my 4 day lengthy hunt! God Bless you man. Have a great day.
Bye สล็อต bpg
I like what you guys are up too. Such clever work and exposure!
Keep up the fantastic works guys I’ve added you guys to our blogroll.
I’ve been browsing online more than three hours today, yet I never
found any interesting article like yours. It’s pretty worth
enough for me. In my view, if all website owners and bloggers made good content as you did, the
net will be much more useful than ever before.
Thank you 🙂
I couldn’t refrain from commenting. Very well written!
Thank you 🙂
Having read this I believed it was very enlightening.
I appreciate you taking the time and effort to put this
content together. I once again find myself personally spending a lot of time both
reading and commenting. But so what, it was still worthwhile!
Thank You 🙂
You need to take part in a contest for one of the best websites on the web. I’m going to recommend this website!
Thank you 🙂
I do not know if it’s just me or if everybody else experiencing issues with
your site. It appears as if some of the text on your posts are running off the screen. Can someone else please
comment and let me know if this is happening to
them as well? This may be a problem with my web browser because I’ve had this happen previously.
Cheers
We’ll check the issue. Thank you.
I really like what you guys are usually up too. This sort of clever work and coverage!
Keep up the fantastic works guys I’ve added you guys to
my own blogroll.
Thank you 🙂
I couldn’t refrain from commenting. Perfectly written!
Thank you 🙂
I like what you guys are up too. This kind of clever work and coverage!
Keep up the excellent works guys I’ve added you guys to
blogroll.
Thank you 🙂