An anonymous hacker with an online alias “SandboxEscaper” today released proof-of-concept (PoC) exploit code for a new zero-day vulnerability affecting Windows 10 operating system—that’s his/her 5th publicly disclosed Windows zero-day exploit [1, 2, 3] in less than a year.
Published on GitHub, the new Windows 10 zero-day vulnerability is a privilege escalation issue that could allow a local attacker or malware to gain and run code with administrative system privileges on the targeted machines, eventually allowing the attacker to gain full control of the machine.
The vulnerability resides in Task Scheduler, a utility that enables Windows users to schedule the launch of programs or scripts at a predefined time or after specified time intervals.
SandboxEscaper’s exploit code makes use of SchRpcRegisterTask, a method in Task Scheduler to register tasks with the server, which doesn’t properly check for permissions and can, therefore, be used to set an arbitrary DACL (discretionary access control list) permission.
“This will result in a call to the following RPC “_SchRpcRegisterTask,” which is exposed by the task scheduler service,” SandboxEscaper said.
A malicious program or a low-privileged attacker can run a malformed .job file to obtain SYSTEM privileges, eventually allowing the attacker to gain full access to the targeted system.
The vulnerability has been tested and confirmed to be successfully working on a fully patched and updated version of Windows 10, 32-bit and 64-bit, as well as Windows Server 2016 and 2019.
More Windows Zero-Day Exploits to Come
Besides this, the hacker also teased that he/she still has 4 more undisclosed zero-day bugs in Windows, three of which leads to local privilege escalation and fourth one lets attackers bypass sandbox security.
The details and exploit code for the new Windows zero-day came just a week after Microsoft monthly patch updates, which means no patch exists for this vulnerability at the current, allowing anyone to exploit and abuse.
Windows 10 users need to wait for a security fix for this vulnerability until Microsoft’s next month security updates—unless the company comes up with an emergency update.