An unpatched local privilege escalation zero-day vulnerability in Windows 10 received a temporary patch today. The fix is delivered through the 0patch platform and can be applied on systems without rebooting them.
Exploit code is available for this zero-day flaw from researcher SandboxEscaper, who named it BearLPE when she published it ten days ago, and targets the Task Scheduler component in Windows 10.
An attacker can use this bug after they compromised the target host to take control of files that are reserved for high-privilege users such as SYSTEM and TrustedInstaller. This way, they can act with increased rights on vulnerable systems.
According to Will Dormann, a vulnerability analyst at CERT/CC, the exploit is 100% reliable on x86 systems and needs to be recompiled for x64 machines.
0patch co-founder Mitja Kolsek explains that the problem stems from legacy support of task files, which can be added to a modern system from an old one.
The video below demonstrates how the micropatch works on a vulnerable machine:
[embedded content]
"When you run Windows XP schtasks.exe on Windows 10, legacy RPC functions are called - which in turn call the current ones, such as SchRpcSetSecurity," Kolsek says.
So what is the flaw here? It's a case of incorrect impersonation, as already suspected by SandboxEscaper and other researchers, but it comes with a twist. SchRpcSetSecurity method, which initially seems to be the culprit, does impersonate the caller and performs correctly.
— 0patch (@0patch) May 31, 2019
He furthe ..
Support the originator by clicking the read the rest link below.
