Published on May 23rd, 2019 📆 | 2797 Views ⚑
0Hacker Leaked New Unpatched Windows 10 Zero-day POC Exploit Online
An anonymous hacker leaked a new Windows zero-day Proofs-of-concept online that exploit the vulnerability resides in the Windows Task Scheduler.
Sanboxescaper, a pseudonym of an unknown hacker who is known for frequently leaking Windows zero-day bugs online, and this is a fifth zero-day bug (1, 2, 3, 4 ) that has been leaked in a year since August 2018.
In this leak, Exploit published for Task Scheduler vulnerability let attackers perform a local privilege escalation (LPE) and gain complete control of fully patched current version of Windows 10.
Task Scheduler is a component of Microsoft Windows that provides the ability to schedule the launch of programs or scripts at pre-defined times or after specified time intervals.
Sanboxescaper concentrated with the Task Scheduler and exploited the bug in Windows 10 by calling an RPC Function âSchRpcRegisterTaskâ( a method registers a task with the server) which is exposed by the task scheduler service.
Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer on a network without having to understand the networkâs details.
It can be achieved by import legacy task files (â.jobâ file format) with arbitrary DACL Writes from other systems to Windows 10 Task Scheduler.
Arbitrary DACL writes allow a low-privileged user to change the system permissions, eventually, a local user gains complete control of the system.
Sandbox escaper explains, âFor example, In the old days (i.e windows
âIf on windows 10 you want to import a .job file into the task scheduler you have to copy your old .job files into c:windowstasks and run the following command using âschtasks.exe and âschedsvc.dllâ copied from the old systemâ
âI assume that to trigger this bug you can just call into this function directly without using that schtasks.exe copied from windows xp.. but I am not great at reversingâ
Will Dormann, a Security researcher from US Cert Tested the exploit and confirms that the exploit is 100% working against fully patched Windows 10.
Mitja Kolsek, Co-Founder of 0patch, tested this zero-day and confirmed that âthis 0day from SandboxEscaper to work on fully updated Windows 10. The DACL of any chosen file gets altered so that the provided user can arbitrarily modify it.â
This is not an end of Zero-day Leak
SandboxEscaper also warned that She found more Zero-dayâs and itâs coming on the way.
âOh, and I have 4 more unpatched bugs where that one came from.
3 LPEs (all gaining code exec as a system, not lame delete bugs or whatever), and one sandbox escape.â
Also, she said âIf any non-western people want to buy LPEs, let me know. (Windows LPE only, not doing any other research nor interested in doing so). Wonât sell for less than 60k for an LPE.â|
âI donât owe society a single thing. Just want to get rich and give you fucktards in the west the middle finger.â
There is no patch available for this Zero-day Vulnerability at this moment, But we can expect Microsoft to patch this flaw and release an update in next patch Tuesday update on June 12, 2019.
You can Download Free E-book to learn about complete Enterprise Security Implementation & Mitigation Steps â Download Free-Ebook Here.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.
Gloss