Exploit code for Windows 10 zero-day flaw in Task Scheduler released by security researcher

Zero-day vulnerability uncovered by SandboxEscaper is a local privilege escalation flaw that hackers can exploit with 100 per cent success rate

A security researcher has released details of a zero-day vulnerability affecting the Task Scheduler in Windows 10. The security flaw could enable attackers to gain full control of either Windows 10 or Windows Server files, she has warned.

Update: Three more Windows 10 zero-days dropped by SandboxEscaper

SandboxEscaper, the moniker of the researcher who discovered the vulnerability, shared the demo exploit code on GitHub - meaning that it's now out in the wild - while providing further details about in her blog post.

The zero-day is basically a local privilege escalation (LPE) flaw that can be exploited by hackers to elevate their level of access on compromised systems.

According to SandboxEscaper, the vulnerability lies in the Windows Task Scheduler process, and could enable attackers to take advantage of the Task Scheduler's ability to import legacy .job files with arbitrary discretionary access control list (DACL) control rights.

Computing's Cloud Excellence Awards return on the 19th September 2019, recognising the very best of cloud computing in the UK across end users, suppliers and products. Who is the Cloud Architect of the Year? What is the Best Cloud Development Platform? And who is the Cloud Entrepreneur of the Year. Entry is FREE - the deadline is Friday 28th June.

When a .job file lacks a DACL, the system can grant a user full access to the file.

Hackers can execute a malicious .job file to exploit this zero-day flaw. That would elevate attacker's low-privileged account to admin access, and eventually grant them access over the full system.

The exploit can reportedly work on earlier Windows operating systems, such as Windows XP and Windows Server.

SandboxEscaper shared a video to demonstrate the proof-of-concept in action on Windows x86.

Dormann had tested the exploit code and found it working on a patched Windows 10 x86 system, with 100 per cent success rate

"The exploit calls the code once, deletes the file, and then calls it again with an NTFS hard link pointing to the file that gets permissions clobbered with SetSecurityInfo()," Will Dormann, a security expert at CERT/CC told BleepingComputer.

Dormann had tested the exploit code and found it working on a patched Windows 10 x86 system, with 100 per cent success rate. The code also works on a 64-bit Windows 10 system after recompilation, and the results are similar to those obtained with Server 2016 and 2019.

The vulnerability discovered by SandboxEscaper is the fifth in a series that started in August last year. At that time, SandboxEscaper released four other Windows zero-days, namely, LPE in Advanced Local Procedure Call, LPE in Microsoft Data Sharing, LPE in ReadFile, and LPE in the Windows Error Reporting system.

Microsoft issued fixes for all these flaws within one or two months after they were publically released.

SandboxEscaper also claims that she has discovered four other zero-day flaws (not yet undisclosed), of which three are LPE vulnerabilities and the fourth one is a sandbox escape.

Cloud & Infrastructure Live 2019 returns to London on 19th September 2019. Learn about the latest technologies in cloud, how to keep one step ahead of the regulators, and network with an audience of IT leaders and senior IT pros. The event will include keynotes, panel discussions, case studies, and strategic and technical streams. Best of all, the event is FREE to qualifying attendees. Secure your place now.