Zero-Day vulnerability found in Windows-10 Patch Tuesday
Security updates for Windows 10 were released this past Tuesday. Exploit developer SandboxEscaper released an exploit for the update within less than 24 hours of the security updates. This particular exploit targets a privilege escalation vulnerability that exists because of the way one of the Task Scheduler functions work. It allows the attacker to gain SYSTEM privileges on a compromised machine [1]. As of now, SandboxEscaper has released a total of 5 exploits that she claims are zero-day exploits but Gal De Leon of Palo Alto Networks confirmed that one of those exploits named AngryPolarBearBug2 is actually a proof of concept for CVE-2019–0863 [2]
Why is it important?
Three out of the four bugs are local privilege escalation flaw meaning an attacker can get elevated privileges by exploiting these vulnerabilities. The remaining vulnerability is found in Internet Explorer 11 where an attacker can inject malicious code in Internet Explorer (IE). Even though this flaw is not remotely exploitable it can be used to disable security measures in IE for further attacks.[3]
The remaining three bugs can give the attacker SYSTEM-level privileges. While exploiting these vulnerabilities won’t delete any files or inject any malicious code into the system, it will elevate the attacker’s privileges thereby giving full access to the machine.
Once the attacker has full access, they can delete files, install trackers, spyware, key loggers or connect the host to a botnet. The compromised system would be at the attacker’s mercy.
Who is affected?
Windows 10 is the most popular desktop OS with 39.22% of desktop market share followed by Windows 7 at 36.9% as of December 2018. [4]
These vulnerabilities have been found in the patch that was deployed by Microsoft this past Wednesday. All the machines that have applied these security updates for Windows 10 and are up to date seem to be vulnerable at this point. At this point, it is unclear if Microsoft will release patches for these bugs before their scheduled security updates next month.
One of the vulnerabilities that are found in the Task Scheduler in Windows 10 has been tested and confirmed to work on Windows 10 32-bit and 64-bit systems. Researchers have tested the exploit code made publicly available by SandboxEscaper and it is confirmed to work on Windows Server 2016 and Windows Server 2019 alongside above-mentioned systems.
This vulnerability has been identified in Windows 8 too but researchers say that the effect of this flaw appears to have minuscule damage in Windows 8. They are unable to reproduce this on Windows 7. [1]
In theory, this vulnerability could be taken advantage of in systems running older versions of Windows all the way up tp Windows XP and Server 2003 but this has not been confirmed yet. [5]
What impact it might have on people?
Since Windows 10 is the most popular desktop OS, this vulnerability seems to be widespread. Windows operating system is widely used in many institutions including educational, banks and professional environment.
Although the vulnerabilities mentioned above are themselves not harmful, they can either give the attacker full access to the system or turn off any protections to make the system even more vulnerable. Exposing systems like this could mean that any sensitive data be stolen or the host could become part of a botnet which could be used to orchestrate a bigger attack on a target.
These vulnerabilities could be exploited silently which means that it could take a long time before the user would know that their system has been compromised. Most of these vulnerabilities can be used to weaken the system and/or gain access and then launch an even bigger attack.
What were the causes?
Out of the four flaws found in this patch, one of them exploits the way SetJobFileSecurityByName() function is used in Task Scheduler. schtasks.exe is used as a frontend to schedule tasks and modify existing tasks. The back-end of the task scheduler is a service that runs with SYSTEM privileges. tsched::SetJobFileSecurityByName() function found in schtasks.dll sets permissions of job files and gives full permissions to the job the user has created.[1]
The legacy schtasks.exe and schedsvc.dll code exported from Windows XP is used to give the attacker SYSTEM-level privileges. SandboxEscaper’s proof of concept code makes use of SchRpcRegisterTask method in the Task Scheduler to register tasks. There’s no permission check and can, therefore, be used to change the Discretionary Access Control List (DACL) permissions for an individual file. A malformed job can be used to gain SYSTEM level access. [6]
Another vulnerability is found in Internet Explorer 11 where an attacker can inject a Dynamic Link Library (DLL) into an Internet Explorer 11 process. Upon successful execution, a file picker is invoked with an HTML page that contains JavaScript. The exploit disables Internet Protected mode which means that any malicious JavaScript can be run at this point.[2]
The third zero-day bug that was discovered is dubbed CVE-2019–0841-BYPASS. It is given this name after SandboxEscaper found vulnerable code triggered by CVE-2019–0841. An exploit based on this vulnerability could use Windows AppX Deployment Service (AppXSVC) which fails to properly handle hard links. According to researchers, this vulnerability bypasses Microsoft’s CVE-2019–0841 patch and can overwrite DACL thereby giving access to otherwise secure files. [7]
The last bug that has been discovered is named InstallerBypass. This is yet another Local Privilege Escalation flaw which can be used to dump binaries in system32 Windows folder which can then be run using SYSTEM privileges. The exploit developer points out that this vulnerability can be used in combination with malware to execute it on any system.
How might similar problems be prevented in the future?
After researching these vulnerabilities it seems like most of them overwrite DACL to gain permission to otherwise restricted files. These types of flaws could be classified as the time of check to time of use (TOCTOU) bugs. These bugs happen when the attacker alters the object that was given permission to run after it has been checked and before it is accessed. We can see that in the vulnerabilities discussed above, an attacker could change the hard links and overwrite DACL files thereby gaining SYSTEM level permissions.
There are many ways this class of attacks can be prevented. One of the ways is to use locks. Locks can be acquired before checking a file and it can be held onto the file is accessed. This way it can be guaranteed that the file will not be changed in the time that it is checked and accessed. The lock can be released once we are done processing the file.
Another way would be to use the file descriptor that was used to check for permissions. Use filehandles instead of using filenames. If possible, one could try to get rid of any indirection and act on the object itself.
Transactional commands could also be used to check and open any file. This leaves no chance for an attacker to change the file’s symlink before it is opened and after it is checked for permissions.
— — — — — — — — -
References:
[1] Software Engineering Institute. Microsoft Windows Task Scheduler SetJobFileSecurityByName privilege escalation vulnerability
https://kb.cert.org/vuls/id/119704/
[2] Bleeping Computer. PoC Exploits Released for Two More Windows Vulnerabilities
[3] ZDNet. Two more Microsoft zero-days uploaded on GitHub
https://www.zdnet.com/article/two-more-microsoft-zero-days-uploaded-on-github/
[4] The Verge. Windows 10 is now more popular than Windows 7
[5] ZDNet. Windows 10 zero-day exploit code released online
https://www.zdnet.com/article/windows-10-zero-day-exploit-code-released-online/
[6] The Hacker News. PoC Exploit For Unpatched Windows 10 Zero-Day Flaw Published Online
https://thehackernews.com/2019/05/windows-zero-day-vulnerability.html
[7] Bleeping Computer. Two More Windows 10 Zero-Day PoC Exploits Released, Brings Total to 4
