Latest Intel Exploit
Nicholas Walker ?
Your tech/security thinktank; Cohesive, secure, and reliable technology solutions for every level of your business. ERP Master
Task Scheduler ALPC exploit high level analysis
Yesterday SandboxEscaper tweeted an local privilege escalation exploit for Windows, which currently has no patch. It’s a really neat flaw, in particular how it is exploited.
High level overview
- Needs prior code execution to exploit.
- Exploit currently only works on 64-bit OSes (likely Win 10 and Server 2016).
Let’s take a bit of a look at the code. I’ve uploaded it to Github for easier analysis, I hope SandboxEscaper doesn’t mind.
What is it the flaw?
“_SchRpcSetSecurity which is part of the task scheduler ALPC endpoint allows us to set an arbitrary DACL. It will Set the security of a file in c:\windows\tasks without impersonating, a non-admin (works from Guest too) user can write here. Before the task scheduler writes the DACL we can create a hard link to any file we have read access over. This will result in an arbitrary DACL write. This PoC will overwrite a printer related dll and use it as a hijacking vector. This is ofcourse one of many options to abuse this.” — source
The flaw is that the Task Scheduler API function SchRpcSetSecurity fails to check permissions. So anybody — even a guest — can call it and set file permissions on anything locally.
What is the exploit?
This exploit misuses SchRpcSetSecurity to alter permissions (I wouldn’t recommend running it a live system by the way) to allow a hard link to be created, and then calls a print job using XPS printer (installed with Windows XP Service Pack 2+) to call the hijack DLL as SYSTEM (via the Spooler process).
What does it look like in practice?
You get a process spawned under the Print Spooler service (spoolsv.exe) called cmd.exe, which spawns connhost.exe, which spawns a random process. This isn’t normal behaviour.
Exploit limitations
It needs tweaking to work on 32 bit OS, as it has hardcoded paths with *AMD64* which don’t exist on 32-bit Windows. Also it hard codes prnms003 driver, which doesn’t exist on certain versions (e.g. on Windows 7 it can be prnms001).
Other ways to exploit
There’s a bunch of other ways I can think that can be done. Essentially if you can alter permissions and create hardlinks you can do a bunch of Bad Things(tm).
Ways to detect
- If you use Microsoft Sysmon, look for spoolsv.exe spawning abnormal processes — it’s a sure sign this exploit is being used (or another Spooler exploit). Similarly if you use Sysmon, look for connhost.exe (Task Scheduler) spawning under abnormal processes (e.g. the Print Spooler).
Ways to mitigate
- Antivirus, segmentation, don’t allow untrusted users to run code.
Ways to fix
- Microsoft need to fix the function. This will probably happen in a few weeks.