Microsoft Windows Task Scheduler Elevation of Privilege Vulnerability (2305420)

Microsoft Windows Task Scheduler Elevation of Privilege Vulnerability (2305420) allows elevation of privilege due to an error in task scheduler integrity checks

Reporter	Title	Published	Views	Family All 16
0day.today	Windows Escalate Task Scheduler XML Privilege Escalation	21 Jul 201200:00	–	zdt
Circl	CVE-2010-3338	20 Nov 201000:00	–	circl
CVE	CVE-2010-3338	16 Dec 201019:00	–	cve
Cvelist	CVE-2010-3338	16 Dec 201019:00	–	cvelist
Exploit DB	Microsoft Windows - Task Scheduler '.XML' Local Privilege Escalation (MS10-092) (Metasploit)	19 Jul 201200:00	–	exploitdb
Metasploit	Windows Escalate Task Scheduler XML Privilege Escalation	13 Jun 201205:58	–	metasploit
NVD	CVE-2010-3338	16 Dec 201019:33	–	nvd
OpenVAS	Microsoft Windows Task Scheduler Elevation of Privilege Vulnerability (2305420)	15 Dec 201000:00	–	openvas
Packet Storm	Windows Escalate Task Scheduler XML Privilege Escalation	19 Jul 201200:00	–	packetstorm
Prion	Design/Logic Flaw	16 Dec 201019:33	–	prion

Source	Link
microsoft	www.microsoft.com/technet/security/bulletin/MS10-092.mspx
support	www.support.microsoft.com/kb/2305420

###############################################################################
# OpenVAS Vulnerability Test
# $Id: secpod_ms10-092.nasl 5361 2017-02-20 11:57:13Z cfi $
#
# Microsoft Windows Task Scheduler Elevation of Privilege Vulnerability (2305420)
#
# Authors:
# Antu Sanadi <[email protected]>
#
# Copyright:
# Copyright (c) 2010 SecPod, http://www.secpod.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_impact = "Successful exploition will allows elevation of privilege.
  Impact Level: System/Application";
tag_affected = "Micorsoft Windows 7
  Microsoft Windows Vista Service Pack 2 and prior.
  Microsoft Windows Server 2008 Service Pack 2 and prior.";
tag_insight = "The flaw is caused by an error in task scheduler when performing integrity
  checks to validate tasks run with the intended user privilege.";
tag_solution = "Run Windows Update and update the listed hotfixes or download and
  update mentioned hotfixes in the advisory from the below link,
  http://www.microsoft.com/technet/security/Bulletin/MS10-092.mspx";
tag_summary = "This host is missing a critical security update according to
  Microsoft Bulletin MS10-092.";

if(description)
{
  script_id(902276);
  script_version("$Revision: 5361 $");
  script_tag(name:"last_modification", value:"$Date: 2017-02-20 12:57:13 +0100 (Mon, 20 Feb 2017) $");
  script_tag(name:"creation_date", value:"2010-12-15 14:53:45 +0100 (Wed, 15 Dec 2010)");
  script_cve_id("CVE-2010-3338");
  script_tag(name:"cvss_base", value:"7.2");
  script_tag(name:"cvss_base_vector", value:"AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_name("Microsoft Windows Task Scheduler Elevation of Privilege Vulnerability (2305420)");
  script_xref(name : "URL" , value : "http://support.microsoft.com/kb/2305420");
  script_xref(name : "URL" , value : "http://www.microsoft.com/technet/security/bulletin/MS10-092.mspx");

  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2010 SecPod");
  script_family("Windows : Microsoft Bulletins");
  script_dependencies("secpod_reg_enum.nasl");
  script_require_ports(139, 445);
  script_mandatory_keys("SMB/WindowsVersion");

  script_tag(name : "impact" , value : tag_impact);
  script_tag(name : "affected" , value : tag_affected);
  script_tag(name : "insight" , value : tag_insight);
  script_tag(name : "solution" , value : tag_solution);
  script_tag(name : "summary" , value : tag_summary);
  script_tag(name:"qod_type", value:"registry");
  script_tag(name:"solution_type", value:"VendorFix");
  exit(0);
}


include("smb_nt.inc");
include("secpod_reg.inc");
include("version_func.inc");
include("secpod_smb_func.inc");

## Check for OS and Service Pack
if(hotfix_check_sp(winVista:3, win2008:3, win7:1) <= 0){
  exit(0);
}

## MS10-092 Hotfix (2305420)
if(hotfix_missing(name:"2305420") == 0){
  exit(0);
}

## Get System Path
sysPath = smb_get_systemroot();
if(!sysPath ){
  exit(0);
}

dllPath = sysPath + "\system32\Taskeng.exe";
share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:dllPath);

## Get Version from Schannel.dll file
dllVer = GetVer(file:file, share:share);
if(!dllVer){
  exit(0);
}

## Windows Vista and Windows Server 2008
if(hotfix_check_sp(winVista:3, win2008:3) > 0)
{
  SP = get_kb_item("SMB/WinVista/ServicePack");

  if(!SP) {
    SP = get_kb_item("SMB/Win2008/ServicePack");
  }

  if("Service Pack 1" >< SP)
  {
    ## Check for Taskeng.exe version
    if(version_is_less(version:dllVer, test_version:"6.0.6001.18551")){
      security_message(0);
    }
    exit(0);
  }

  if("Service Pack 2" >< SP)
  {
    ## Check for Taskeng.exe version
    if(version_is_less(version:dllVer, test_version:"6.0.6002.18342")){
      security_message(0);
    }
    exit(0);
  }
  security_message(0);
}

## Windows 7
else if(hotfix_check_sp(win7:1) > 0)
{
  ## Check for Taskeng.exe version
  if(version_is_less(version:dllVer, test_version:"6.1.7600.16699")){
    security_message(0);
  }
}

20 Feb 2017 00:00Current

0.3Low risk

Vulners AI Score0.3

EPSS0.6037