Exploit for Zero Day Flaw in Windows Task Scheduler Released Online

Security researcher ‘SandboxEscaper’ has released a PoC exploit for yet another vulnerability in Windows Task Scheduler, just a few days after the latest round of patches were issued by Microsoft. This is the 5th exploit for a new zero-day exploit in Windows that has been publicly disclosed by SandboxEscaper. She also claims to have a further four exploits for zero-day vulnerabilities that have not yet been disclosed.

The latest bug is a local privilege escalation vulnerability that would allow hackers who have gained low-level privileges on a compromised system to elevate those privileges to administrator, and ultimately gain full control of a compromised device.

The vulnerability is in the Windows Task Scheduler process which would allow a hacker to run a malformed .job file to exploit a flaw in how Task Scheduler changes discretionary access control list (DACL) permissions for an individual file, which could eventually result in full admin access being gained to the system.

Following the publication of the exploit on Github, the exploit was tested and confirmed to work on Windows 10 32-bit and 63-bit systems, as well as Windows Server 2016 and 2019. Some security researchers believe that the exploit could be tweaked to also work on other Windows versions.

It is unlikely that Microsoft will issue an out-of-band update to correct the flaw, so users will have to wait until at least June Patch Tuesday before the vulnerability is corrected, unless a micropatch is released by a service such as oPatch.

SandboxEscaper’s first exploit was publicly released rather than being disclosed to Microsoft out of “frustration” with the reporting process. That exploit was incorporated into some malware variants shortly after its release before Microsoft had issued a patch.

The second, third, and fourth exploits are not believed to have been used in the wild. Respectively, they allow an attacker to delete, read, or overwrite any file on the system, regardless of the privileges of the user that owned them. In all cases, those exploits were released publicly and not reported to Microsoft.

This time she has gone a step further and has publicly offered exploits for the four other vulnerabilities to “non-western people” for upwards of “60k” for each LPE vulnerability, stating “I don’t owe society a single thing. Just want to get rich and give you ****tards in the west the middlefinger.”

Three of those exploits are LPEs and one allows an attacker to bypass sandbox security. In a recent blog post SandboxEscaper explained, “I have most definitely given portions of my work to people who hate the US… That’s what happens when the FBI subpoenas my google acc and intrudes my privacy.
Now those people are going to use those bugs to get back at US targets.”

However, two of those exploits were released on May 23 on GitHub: An LPE vulnerability and an IE11 sandbox escape vulnerability. The LPE vulnerability has been named AngryPolarBearBug2 and exploits a flaw in Windows Error Reporting by exploiting a race condition between function calls to create a hardlink with elevated permissions to a file of the attacker’s choosing, allowing that file to be modified or deleted. This vulnerability is difficult to exploit. SandboxEscaper said “it can take upwards of 15 minutes for the bug to trigger,” but the attempt may fail.

The IE11 sandbox escape vulnerability would allow an attacker to inject malicious code into Internet Explorer. This flaw could not be exploited remotely, but it could be used to cancel security protections in IE allowing subsequent attacks to take place.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news