Recently, Windows was hit with a discovery of several zero-day flaws. A hacker named SandboxEscaper released x zero-day bugs over a period of x days. While we wait for the official patches from Microsoft, the security firm 0patch has released an interim micropatch for one of the flaws.
What is the vulnerability?
0patch has released a fix for the Local Privilege Escalation (LPE) bug in Microsoft Task Scheduler which was disclosed by SandboxEscaper towards the end of May.
The flaw allows for escalating privileges when legacy tasks are imported from other systems into Microsoft Task Scheduler. With escalated privileges, any non-authorized user can modify system files and implant backdoors.
Mitja Kolsek, co-founder of 0patch and CEO of Arcos Security, described the bug in a statement to Threatpost. “Since these are executed in high-privileged context, the attacker’s code can get executed and, for instance, promote the attacker to local administrator or obtain covert persistence on the computer,” Kolsek stated.
How does the micropatch work?
The micropatch fixes the flaw by blocking a Remote Procedure Call (RPC) called “SchRpcSetSecurity.” Though SandboxEscaper used an RPC call to “SchRpcRegisterTask” originally, a backup call was also made to “SchRpcSetSecurity” if the primary call failed. 0patch
“It looked like some monitoring thread was used for getting the job done when the original call failed, but this thread was not called via RPC, and client impersonation could not be used there,” explained Kolsek, in a blog.
“We therefore decided on a more drastic approach and simply amputated the call to SetSecurity…after that, we got the desired behavior. Since we didn’t even touch schedsvc.dll, the new (non-legacy) Task Scheduler functionality was not affected at all,” wrote Kolesk, explaining the approach.
It should be noted that the micropatch released by 0patch works for Windows 10 devices only. Researchers claim that the exploit released by SandboxEscaper has minimal effect on Windows 8 systems. Moreover, the vulnerability has not been demonstrated to affect Windows 7 devices.
Additionally, 0patch researchers are also working to provide a fix for another recently disclosed Windows bypass vulnerability which was also released by SandboxEscaper. The hacker has made for themselves by publicly releasing a series of Proof-of-concept (PoC) exploits on Github for various flaws affecting Microsoft Windows.