Details on the Task Scheduler ALPC zero-day

Topic

New Reply

Kevin Beaumont (@GossiTheDog) just published an excellent overview of the newly touted ALPC zero-day in Task Scheduler. Complete with working exploit
[See the full post at: Details on the Task Scheduler ALPC zero-day]

1 user thanked author for this post.

Elly

Reply | Quote

Replies

I don’t know that we should panic about the exploit, but the poster to github appears to be unstable.

Reply | Quote

Sounds pretty serious to me. Rest assured, it will appear in the wild soon if it hasn’t already. We will HAVE to apply any patch that comes out ASAP, and pray to the deities that it doesn’t break things.

Reply | Quote

According to Woody’s in the Home Page: ” Nothing to worry about yet, but expect to see a fix for all versions of Windows before too long. ”

Looking into this, I find the following at Born’s:

” Will Dormann, a vulnerability analyst at the CERT/CC, tested the exploit and confirmed that it “works well in a fully-patched 64-bit Windows 10 system.”

About the vulnerability
He also prepared a vulnerability note detailing the flaw: a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface used by the Microsoft Windows task scheduler, the exploitation of which can allow a local user to obtain SYSTEM privileges on the target computer.

“The CERT/CC is currently unaware of a practical solution to this problem,” he wrote, and later remarked on Twitter that he’s currently unaware of any workarounds.

UK-based security architect Kevin Beaumont also confirmed the exploit works.

The vulnerability has yet to receive a CVE number but has bee awarded a CVSS score that puts it in the “medium” risk category.

According to The Register, a Microsoft spokesperson acknowledged the existence of the vulnerability and said the company will “proactively update impacted advices as soon as possible”.  ”      (Emphasis is mine.)

“Advices”? Typo, or impenetrably opaque jargon?

So, does this bit of malware threaten users of all versions of Windows, those still supported in particular? Please, perhaps someone could confirm this? Thanks.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

4 users thanked author for this post.

HiFlyer, AlexEiffel, gborn, columbia2011

Reply | Quote

Currently I’m a bit confused. I tried to execute the commands, the PoC author has shown within his video shipped with the PoC archive. Using a standard user account in 64 bit Win 7, I wasn’t able to grant SYSTEM privileges to a process like Notepad.  Maybe it’s my fault and I made an error or overlooked something.

The fact, that Microsoft didn’t release an emergency patch and addresses the next patchday is probably an indication, that the 0-day exploit isn’t that critical. But that’s my personal opinion. We will wait and see.

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

4 users thanked author for this post.

HiFlyer, AlexEiffel, OscarCP, Elly

Reply | Quote

I’m imagining the mitigations for this could cause things that have always worked to stop working.

It has always been common practice to start things that need privilege via the Task Scheduler when a user logs in. I have, for example a program called WizMouse that starts when I log in and intercepts mouse wheel events and sends them to whatever application the mouse is over (and it actually works better than the Windows facility to do the same).

I smell a potential loss of functionality in the name of security here. I definitely need to learn more detail about this one.

As far as being vulnerable to this… Just be careful what you run – as always. This isn’t something where someone on the other side of the world can magically reach into your computer and make things go wrong. NEVER assume that you can just blithely run software (e.g., malware) on your computer and somehow it will protect itself. That’s always been a pipe dream and it always will be.

-Noel

1 user thanked author for this post.

HiFlyer

Reply | Quote

I had the same thought about functionality. Maybe even inside Windows, there are things that depend on this (even if they shouldn’t), who knows?

I’m more worried about click-happy users on a corporate network. Privilege escalation should be quite scary for a sysadmin, no?

 

Reply | Quote

Seems like a good time to log in to task Scheduler as admin, and disable any tasks they aren’t needed.

You might be surprised what you find.

1 user thanked author for this post.

HiFlyer

Reply | Quote

So, if the main vector for this vulnerability is the XPS printer… well, remove it right away.

Reply | Quote

I wonder if uninstalling XPS Services and XPS Viewer from Win7 will remove this vulnerability. Needless to say, XPS was a horribly failed Microsoft attempt to make inroads against Adobe’s widely accepted Postscript and PDF formats.

Reply | Quote

Kudos (I mean — give points) to both santino and GoneToPlaid.

If an important part of the demonstratable attack code involves the XPS driver, and if I don’t use the XPS driver at all, would I be better off simply removing the XPS driver (and anything else XPS-related which I can find)?

HMcF

Win7 Pro SP1 64-bit, Group B until Dec 2018, later Group W. In process of switching to Linux Mint.

1 user thanked author for this post.

OscarCP

Reply | Quote

I just uninstalled XPS Services and XPS Viewer from my Win7 computer, with no ill effects, even though there was a popup which warned that some services possibly would stop working or that some default settings would be changed. When you install Win7 the default printer is the XPS printer. I don’t think that I ever used XPS even once during many years. I didn’t even have to reboot after uninstalling these two Windows components.

Reply | Quote

Many thanks. I will follow your example.

HMcF

Reply | Quote

“The recently discovered Windows zero-day – which still doesn’t have a patch – has been used in the wild for the last week, with an active info-stealing campaign emerging just two days after its disclosure on Twitter.”

https://threatpost.com/active-spy-campaign-exploits-unpatched-windows-zero-day/137237/

Reply | Quote

From the bottom line of that article; CERT/CC has added a temporary workaround sometime within the last week:

Set ACLs on the C:\Windows\Tasks directory

Karsten Nilsen has provided a mitigation for this vulnerability. Caution: This mitigation has not been approved by Microsoft. However, in our testing it does block exploits for this vulnerability. It also appears to let scheduled tasks to continue to run, and users can continue to create new scheduled tasks as necessary. However, this change will reportedly break things created by the legacy task scheduler interface. This can include things like SCCM and the associated SCEP updates. Please ensure that you have tested this mitigation to ensure that it does not cause unacceptable consequences in your environment.

To apply this mitigation, run the following commands in an elevated-privilege prompt,:

icacls c:\windows\tasks /remove:g “Authenticated Users”
icacls c:\windows\tasks /deny system:(OI)(CI)(WD,WDAC)

Note that when a fix is made available for this vulnerability, these changes should be undone. This can be done by executing the following commands:

icacls c:\windows\tasks /remove:d system
icacls c:\windows\tasks /grant:r “Authenticated Users”:(RX,WD)

Vulnerability Note VU#906424 Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the ALPC interface

(It seemed like a worthwhile protection to me, so I’ve done this on my computers.)

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

2 users thanked author for this post.

AlexEiffel, satrow

Reply | Quote

At this point this is a threat to all supported Windows versions (7, 8, 8.1 and various 10’s), so my guess would be those still on xp can breath easy for a change…

I d not understand why placing a Notepad dll in the System works as the starting point of a multi phase attack, and perhaps someone could explain that here. But more importantly: is my assumption that, at least for now, being careful as usual when receiving email from a supposedly trusted source with an incongruent ‘subject’ header and leaving it unopened and trashing it instead will make this much less of a threat?

The article also mentions that fake updates to “Google applications” as a point of entry. Does this include the browser Chrome, that updates itself automatically? Thanks.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Notepad was the end of the proof of concept, not the start; it was just used as a sample executable to be launched with system privileges due to the flaw.

GoogleUpdate.exe is the program run by task scheduler to automatically update the Chrome browser and other applications, but it is not an entry point for this exploit so there are no fake updates.

The current attack replaces that program with a malicious version which will then run automatically. It does appear to start with an “unpaid invoice” email attachment so far.

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

2 users thanked author for this post.

AlexEiffel, Kirsty

Reply | Quote

GoogleUpdate.exe also runs from a gupdate service, but I think that’s started by task scheduler:

https://www.ghacks.net/2008/12/28/googleupdateexe/

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

Patched today for all current versions of Windows:

CVE-2018-8440 | Windows ALPC Elevation of Privilege Vulnerability

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

4 users thanked author for this post.

SueW, AlexEiffel, satrow, Kirsty

Reply | Quote