There’s a Severe Privilege Escalation Vulnerability in Windows RPC Protocol That Microsoft Won’t Fix
Last updated September 23, 2021
A hacker going by the nickname “SandboxEscaper” has published a zero-day vulnerability and proof of concept code on GitHub, concerning the Windows 10 Task Scheduler. Along with the code, the hacker also published a relevant video (shown below) that shows exactly how the exploit can be leveraged. As it’s shown, an attacker can execute a specially crafted “.job” file that changes the Task Scheduler’s permissions over an individual file. Through this way, the attacker could ramp up the privilege from a simple locked down users to a system administrator.
While the hacker demonstrated the vulnerability on a 32-bit installation, theoretically, the same exploitation potential can be achieved in 64-bit systems with some special modification. In fact, it looks like with slight changes, this exploitation could work on other Windows versions besides 10, like the 7, XP, or Server 2003. LPE (Local Privilege Escalation) vulnerabilities are leveraged by attackers who want to dive deeper into a valuable host. That said, it is not a means of infiltration or a first wave attack vulnerability. However, it remains very critical as it dramatically undermines the defense of already-compromised systems.
So, with the demo code out and the video showing how to do it, does this mean that you’re vulnerable? Actually, that’s exactly what is going on right now. The anonymous hacker has decided not to inform Microsoft of the LPE flaw in the Scheduler, or she has decided not to wait for them to release a fixing patch. That said, we could wait until next month to get a fix in a regular update by Microsoft, or maybe the Redmond company will release an emergency fix if they deem the danger seriously enough.
The same hacker has disclosed zero-day LPE vulnerabilities on Windows another four times before, announcing them on Twitter and publishing the proof of concept code on GitHub again. In none of these cases has “SandboxEscaper” notified Microsoft officially, and in one instance the PoC was incorporated in a malware campaign toolset after just a week following the publication of the relevant zero-day. Maybe she just hates Microsoft, or she’s an avid Linux fan. Whatever the case, published zero-day vulnerabilities accompanied by PoC code are a bomb thrown in Microsoft’s hands, so let’s hope they’ll respond to it before it blows.
Why do you think some hackers prefer not to get paid for their security flaw discoveries, and prefer to risk the security of thousands instead? Let us know in the comments down below, and also on our socials, on Facebook and Twitter.