Windows Task Scheduler Privilege Escalation ALPC exploit

Quick Description:

Hacker goes by name SandboxEscaper decide to upload 0day exploit in the windows 10 32-64 bit & Server 2016 x64 task scheduler, SchRpcSetSecurity API contains a privilege escalation vulnerability which can allow authenticated low privilege user to overwrite content of certain files protected by ACLs in filesystem. This is big, a local user authenticated can elevate their privilege to NT Authority /SYSTEM, which is highest privilege in windows operating system.

Maybe this new trend to release 0days ?

Hey I link to the code here,hopefully SanboxEscaper doesn’t mind me doing that.

Exploit prerequisite:

-Windows 10 32/64 or server 2016 system
-Exploit code link here
-CFF PE resource editor link here
-Your own malicious dll e.g msfvenom or empire powershell post exploitation framework etc

Process explore tool to see existing/new running process.Cmd.exe then launched notepad.exe to create a new process id PID  so that we can use PID to call hijack DDL as system privilege.

lpp1

Figure 1  notepad process associated with PID 1356 run under the cmd.exe.

Windows CFF explore  to edit ALPC_Tasksched-LPE.dll  then  RCData 101, Click right to Replace Resource Raw  then poc.dll which we used empire C2 for dll generation . CFF

Figure 2 CFF explore edit the ALPC_Tasksched-LPE.dll and replaced the existing dll with our empire C2 for reverse during execution.

 

InjectDll.exe 3508 notepad PID and our modified ALP-TaskSched-LPE.PoC.dll

F

Figure 3  we execute InjectDll.exe with modified empire dll

Local copy of empire agent call back “whoami” command shows session runs under the NT Authority\SYTEM

NT-Authority-lpe-access

Figure 4  Agent runs under the NT AUTHORITY\SYSTEM privilege context

 

Quick Video session here to demonstrate steps taken to corroborate the  ALPC privilege escalation  https://youtu.be/t50v8zGIwWE

Remediation

Wait for Microsoft to release security patch next few weeks…

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s