How to detect if your system is exploited by LPE vulnerability in Windows Task Scheduler?

1 Mins read
Windows Task Scheduler

A security researcher with Twitter username SandboxEscaper posted on Twitter an unpatched vulnerability and proof-of-concept (PoC) exploit in Windows operating system.

According to SandboxEscaper, it is a local privilege escalation (LPE) vulnerability that lies in the ALPC (Advanced Local Procedure Call) interface for Microsoft Windows Task Scheduler. ALPC interface is an inter-process communication system for Windows.

The vulnerability can enable the attackers to access a computer running Windows OS. The attackers who inject malicious code in systems usually do it using PoC exploit as it allows them to gain access to the admin panel of targeted systems. All the systems with Windows 64-bit are currently vulnerable to this flaw.

Will Dormann, a vulnerability analyst from CERT/CC who tested the flaw, later confirmed on Twitter that the vulnerability works well in a fully-patched 64-bit Windows 10 system.

The analyst further published the vulnerability note, overviewing that the Microsoft Windows task scheduler contains a local privilege escalation vulnerability in ALPC interface which can allow a local user to obtain system privileges.

“Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges. We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. Compatibility with other Windows versions may be possible with modification of the publicly-available exploit source code,” says the Vulnerability Note VU#906424.

The CERT/CC is currently unaware of a practical solution to this problem.

How to detect if a system is exploited?

“If you use Microsoft Sysmon, look for spoolsv.exe spawning abnormal processes — it’s a sure sign this exploit is being used (or another Spooler exploit). Similarly if you use Sysmon, look for conhost.exe (Task Scheduler) spawning under abnormal processes (e.g. the Print Spooler),” explained Security researcher Kevin Beaumont in a post.

Also read: Abandoned domain names can cause serious cyberthreats to previous owners

Microsoft hasn’t yet reacted to the vulnerability, but it is expected that the tech giant will patch the flaw at the time of its Patch Tuesday which is scheduled for September 11.

Leave a Reply

Your email address will not be published. Required fields are marked *

fifty five − = fifty one