{"id":1519,"date":"2018-09-04T14:30:41","date_gmt":"2018-09-04T14:30:41","guid":{"rendered":"https:\/\/www.varutra.com\/blog\/?p=1519"},"modified":"2023-03-24T12:27:43","modified_gmt":"2023-03-24T06:57:43","slug":"advisory-microsoft-zero-day-vulnerability-windows-task-scheduler-local-privilege-escalation-vulnerability","status":"publish","type":"post","link":"https:\/\/www.varutra.com\/varutravrt3\/advisory-microsoft-zero-day-vulnerability-windows-task-scheduler-local-privilege-escalation-vulnerability\/","title":{"rendered":"Advisory | Microsoft Zero Day – Windows Task Scheduler Local Privilege Escalation Vulnerability"},"content":{"rendered":"

<\/p>\n

Introduction to Microsoft Zero Day Vulnerability<\/strong><\/h3>\n

A previously unknown zero day vulnerability has been disclosed in the Microsoft’s Windows operating system that could help a local user or malicious program to obtain system privileges on the targeted machine.<\/p>\n

The vulnerability is a privilege escalation issue which resides in the Windows’ task scheduler program and occurred due to errors in the handling of Advanced Local Procedure Call (ALPC) systems.<\/p>\n

Advanced local procedure call (ALPC) is an internal mechanism, available only to Windows operating system components, that facilitates high-speed and secure data transfer between one or more processes in the user mode.<\/p>\n

Exploit for this vulnerability has been shared by a hacker named \u201cSandboxEscaper\u201d and the exploit code is currently available on public repositories like GitHub. However the current exploit works only in windows 64 bit operating systems. For a complete solution, we have to wait for Microsoft to respond until the scheduled September 11 Patch.<\/p>\n

 <\/p>\n

Affected Versions<\/strong><\/h3>\n

1) Windows 10<\/p>\n

2) Windows Server 2016<\/p>\n

The exploit would need modifications to work on operating systems other than 64-bit (i.e., 32-bit OS). Also it hard codes prnms003 driver, which doesn\u2019t exist in certain versions (e.g. on Windows 7 it can be prnms001). Compatibility with other windows versions may be possible with modification of the publicly available exploit source code.<\/p>\n

 <\/p>\n

How to Detect?<\/strong><\/h3>\n

It is possible that the original windows processes can be replaced\u00a0with the malicious program shared by the hacker. So we can detect those exploits by checking whether the original windows processes have been replaced.<\/p>\n

    \n
  1. Look for\u00a0spoolsv.exe\u00a0<\/strong>under abnormal processes (or another Spooler exploit).<\/li>\n
  2. Look for\u00a0connhost.exe<\/strong> under abnormal processes (e.g. the Print Spooler).<\/li>\n<\/ol>\n

    Spoolsv.exe:<\/u><\/strong><\/p>\n

    It is called Windows Print Spooler. This service spools print jobs and handles interaction with the printer. By disabling the Windows Print Spooler service you wouldn\u2019t be able to print more than one document at a time, and any documents not immediately sent to the printer wouldn\u2019t print.<\/p>\n

    Risk: <\/strong>If you turn off this service, you won\u2019t be able to print or see your printers.<\/p>\n

    \"Checking<\/a><\/p>\n

    Fig: Checking for suspicious processes<\/em><\/p>\n

    Connhost.exe:<\/u><\/strong><\/p>\n

    It is called Console Windows Host. This service is present in Windows 10 and using this, windows command prompt can show the same window frame like the other programs. It also allows you to operate the cmd prompt and users to drag and drop a file directly into it.\u00a0This Microsoft Console Host program resides in “C:\\Windows\\System32” and should not be removed.<\/p>\n

    This process is closely related to windows CSRSS(Client Server Runtime System Service) a protected process you can\u2019t terminate, which is responsible for console windows\u00a0and the shutdown process, which are critical functions in Windows.<\/p>\n

    Risk: <\/strong>If you turn off this service, windows CSRSS service will also crash because conhost.exe runs under csrss.exe, so there is a high chance for the system to become unusable or shutdown.<\/p>\n

    \"Checking<\/a><\/p>\n

    Fig: Checking for suspicious processes<\/em><\/p>\n

     <\/p>\n

    Recommendations for Microsoft Zero Day Vulnerability<\/strong><\/h3>\n
      \n
    1. Do not remove\/disable any original system processes without confirmation.<\/li>\n
    2. Monitor and block any local users from gaining administrator privileges by using SIEM tools.<\/li>\n
    3. Detect all the malicious processes by the name of genuine ones by using Behavioral Analysis.<\/li>\n
    4. Network traffic analytics should continue to be used to detect anomalous traffic going across the network and to spot where users are behaving in a way that they historically don\u2019t.<\/li>\n<\/ol>\n

       <\/p>\n

      References<\/strong><\/h3>\n
        \n
      1. https:\/\/www.kb.cert.org\/vuls\/id\/906424<\/a><\/li>\n
      2. https:\/\/doublepulsar.com\/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f<\/a><\/li>\n
      3. https:\/\/threatpost.com\/microsoft-windows-zero-day-found-in-task-scheduler\/136977\/<\/a><\/li>\n<\/ol>\n

         <\/p>\n

        Author,<\/p>\n

        Jinto T.K.<\/strong><\/div>\n
        SOC Team<\/div>\n
        Varutra Consulting Pvt. Ltd.<\/em><\/div>","protected":false},"excerpt":{"rendered":"

        Introduction to Microsoft Zero Day Vulnerability A previously unknown zero day vulnerability has been disclosed in the Microsoft’s Windows operating system that could help a…<\/p>\n","protected":false},"author":3,"featured_media":2982,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[266,274,57,283],"tags":[123,125,126,127,128,129,130],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t