Microsoft Windows contains a privilege escalation vulnerability in the way that theTask Scheduler SetJobFileSecurityByName() function is used, which can allow an authenticated attacker to gain SYSTEM privileges on an affected system.
Task Scheduler is a set of Microsoft Windows components that allows for the execution of scheduled tasks. The front-end components of Task Scheduler, such as schtasks.exe, are interfaces that allow for users to view, create, and modify scheduled tasks. The back-end part of Task Scheduler is a Windows service that runs with SYSTEM privileges. One of the libraries used by the Task Scheduler service, schedsvc.dll, has a function called tsched::SetJobFileSecurityByName(), which sets permissions of job files. The permissions of the job file in the %Windir%\system32\tasks directory are modified to give the calling user full permissions to the job file that they have created.
At the point where the SetSecurityInfo() function is called, the Task Scheduler service has the NT Authority\SYSTEM security token. This means that the Task Scheduler service can give full user access permissions to files that may only be controlled by the SYSTEM or other privileged accounts.
By leveraging the Windows Task Scheduler service, an authenticated attacker can gain full access to protected files. This can allow complete system compromise from a limited Windows user account.
Apply an update
This vulnerability was publicly disclosed by SandboxEscaper.
This document was written by Will Dormann.
|Date First Published:||2019-05-22|
|Date Last Updated:||2019-06-12 17:30 UTC|