In the ongoing investigations, researchers have found dangerous vulnerabilities in the Windows Task Scheduler—a critical component of Microsoft’s operating system. This tool enables system administrators to create, delete, query, change, run, and end scheduled tasks on both local and remote computers. We’re referring to four emerging critical vulnerabilities discovered in a rarely used but oft-abused binary called “schtasks.exe.” These defects would allow for a local attacker to perform privilege escalation and modify the system logs.
The schtasks.exe utility with which this is possible is available to any user who wants to create a task, and runs under a perma-SYSTEM-level service. This odd bird configuration allows attackers to take advantage of the vulnerabilities by flipping between different privileges, process that is integrities, and users impersonations. The consequences of these defects are more alarming—allowing an attacker to gain unauthorized access and achieve full data-breach potential.
Nature of the Vulnerabilities
Security researchers have found vulnerabilities that attackers can exploit through Batch Logon. In this approach, an adversary sets up a new scheduled task through the use of a password. However, this approach gives the running process full rights, thus circumventing User Account Control (UAC) protections. Ruben Enkaoua, a security researcher at the attack simulation platform, cymulate, stresses that these vulnerabilities put invaluable tools in the hands of attackers. They can run very high-privilege commands without user consent required.
“A User Account Control bypass vulnerability has been found in Microsoft Windows, enabling attackers to bypass the User Account Control, allowing them to execute high-privilege (SYSTEM) commands without user approval.” – Ruben Enkaoua
In short, the Batch Logon method poses enormous risks. Creating scheduled tasks with an Interactive Token prevents those vulnerabilities from being opened. For the attack to work through Batch Logon, the attacker needs to acquire the password. This raises all sorts of possibilities, from completing a cracked NTLMv2 hash to taking advantage of weaknesses such as CVE-2023-21726.
Potential Impact of Exploitation
The real world impacts of taking advantage of these vulnerabilities are painful. This vulnerability allowed attackers to escalate their privileges and execute malicious payloads with administrative rights, resulting in unauthorized access or data theft. In addition, they have the ability to delete logs to hide traces of all their actions, making sleuthing and remediating for sysadmins a much harder task.
“By exploiting this weakness, attackers can elevate their privileges and run malicious payloads with Administrators’ rights, leading to unauthorized access, data theft, or further system compromise.” – Ruben Enkaoua
Enkaoua highlighted that the initial disclosed vulnerability is more than just a basic UAC Bypass. An attacker may take over an arbitrary user by taking control of their password from the command line interface (CLI). This can lead the attacker to achieve the highest level of privilege when performing actions.
“The first reported vulnerability is not only a UAC Bypass. It is far more than that: it is essentially a way to impersonate any user with its password from CLI and to obtain the maximum granted privileges on the task execution session, with the /ru and /rp flags.” – Ruben Enkaoua
Recommendations for Mitigation
Due to the critical nature of these vulnerabilities, it is imperative that consumers and administrators act quickly and responsibly. Developers and admins should keep a close eye on regular updates from Microsoft, as they will directly target these security vulnerabilities. Employing other best practices, such as proper password management and access control, is still necessary to protect against the risks posed by these vulnerabilities.