Microsoft Windows Task Scheduler zero-day and PoC exploit disclosed via Twitter

There’s a Windows zero-day in the wild thanks to Twitter user “SandboxEscaper” who revealed the local privilege escalation vulnerability and proof-of-concept (PoC) exploit via Twitter. The researcher, who claims to be tired of IT security work, added:

Ps: Microsoft is stupid and I can’t wait to sell bugs in their software.

— SandboxEscaper (@SandboxEscaper) August 27, 2018

After tweeting about the local privilege escalation vulnerability in the ALPC interface for Microsoft Windows Task Scheduler, and linking to the PoC on GitHub, SandboxEscaper claimed she or he would be “gone” for a bit.

CERT/CC analyst confirms Windows zero-day exploit

Will Dormann, a vulnerability analyst at CERT/CC, tested the exploit and confirmed that it works on a fully-patched 64-bit Windows 10 system.

I’ve confirmed that this works well in a fully-patched 64-bit Windows 10 system. LPE right to SYSTEM! https://t.co/My1IevbWbz

— Will Dormann (@wdormann) August 27, 2018

Dormann then published a vulnerability note on CERT: “Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface, which can allow a local user to obtain SYSTEM privileges.”

Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges. We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. Compatibility with other Windows versions may be possible with modification of the publicly-available exploit source code.

According to the vulnerability note, CERT is “currently unaware of a practical solution.”

Security researcher Kevin Beaumont explained the exploit limitations and other ways to exploit in his analysis written on DoublePulsar. He also published the vulnerability code on GitHub so it is easier to analyze.

How to detect the exploit on your system

As for how to detect, Beaumont advised, “If you use Microsoft Sysmon, look for spoolsv.exe spawning abnormal processes — it’s a sure sign this exploit is being used (or another Spooler exploit). Similarly if you use Sysmon, look for connhost.exe (Task Scheduler) spawning under abnormal processes (e.g. the Print Spooler).”

The actual fix will have to come from Microsoft. A Microsoft spokesperson told The Register it will “proactively update impacted advices as soon as possible.” The proof-of-concept code is in the wild and the next Patch Tuesday is weeks away, giving attackers a fairly big window to work on exploiting targets’ Windows.

“With the latest Windows OS vulnerability made public, IT professionals need to be extra vigilant regarding their network users’ behaviors,” said Justin Jett, director of audit and compliance for Plixer. “The PoC released by ‘researcher’ SandboxEscaper on Twitter gives malicious actors leverage needed to break into organizations to steal valuable information.”

“Network traffic analytics should continue to be used to detect anomalous traffic going across the network and to spot where users are behaving in a way that they historically don’t,” Jett added. “Such behavior could be a strong indicator that the vulnerability, which allows hackers to escalate their privileges on a system, may be in use. We’ll have to wait for Microsoft to respond, but if nothing is released until the scheduled September 11 Patch Tuesday, hackers will have a two-week window to take advantage of this vulnerability.”