Hacker goes by name SandboxEscaper decide to upload 0day exploit in the windows 10 32-64 bit & Server 2016 x64 task scheduler, SchRpcSetSecurity API contains a privilege escalation vulnerability which can allow authenticated low privilege user to overwrite content of certain files protected by ACLs in filesystem. This is big, a local user authenticated can elevate their privilege to NT Authority /SYSTEM, which is highest privilege in windows operating system.
Maybe this new trend to release 0days ?
Hey I link to the code here,hopefully SanboxEscaper doesn’t mind me doing that.
Process explore tool to see existing/new running process.Cmd.exe then launched notepad.exe to create a new process id PID so that we can use PID to call hijack DDL as system privilege.
Figure 1 notepad process associated with PID 1356 run under the cmd.exe.
Windows CFF explore to edit ALPC_Tasksched-LPE.dll then RCData 101, Click right to Replace Resource Raw then poc.dll which we used empire C2 for dll generation .
Figure 2 CFF explore edit the ALPC_Tasksched-LPE.dll and replaced the existing dll with our empire C2 for reverse during execution.
InjectDll.exe 3508 notepad PID and our modified ALP-TaskSched-LPE.PoC.dll
Figure 3 we execute InjectDll.exe with modified empire dll
Local copy of empire agent call back “whoami” command shows session runs under the NT Authority\SYTEM
Figure 4 Agent runs under the NT AUTHORITY\SYSTEM privilege context
Quick Video session here to demonstrate steps taken to corroborate the ALPC privilege escalation https://youtu.be/t50v8zGIwWE
Wait for Microsoft to release security patch next few weeks…