Microsoft Task Scheduler ALPC Exploit

Most times when security researchers need to disclose a vulnerability, they let the company know and wait for them to fix it. @SandboxEscaper did not do that…

It is a privilege escalation exploit that affects basically every version of Windows that runs Windows Task Scheduler. The best part: it has no patch yet.

What is the flaw?

The Task Scheduler API function doesn’t check permissions. AT ALL. The function SchRpcSetSecurity (more info) can be misused to alter permissions. A hard link can be created to call a print job using the XPS service and inject a malicious DLL as the System user. All this gets spawned using the print spooling process (spoolsv.exe).

Image credit: Kevin Beaumont

What does that mean?

Basically, this exploit tricks your computer into thinking its printing something, but then runs some code instead.

How do we fix it?

Wait for Microsoft to fix it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s