Windows Task Scheduler Riddled With Privilege Escalation Bugs

Security researchers have discovered not one, but four vulnerabilities lurking within the Windows task scheduling service. The bad news? Local attackers could exploit these flaws to gain elevated privileges and even wipe out logs, making it harder to trace their actions. Think of it as giving them keys to the kingdom and then letting them erase their tracks.

The culprit? A seemingly innocent binary called "schtasks.exe." This tool is supposed to help administrators manage scheduled tasks, but it's now been shown to have some serious weaknesses.

UAC Bypass: The Key to the Kingdom?

Ruben Enkaoua, a security researcher at Cymulate, explains that a User Account Control (UAC) bypass vulnerability is present in Microsoft Windows. This means attackers could sidestep the usual UAC prompt and execute commands with SYSTEM privileges – the highest level of access – without needing user approval.

"By exploiting this weakness, attackers can elevate their privileges and run malicious payloads with Administrators' rights, leading to unauthorized access, data theft, or further system compromise," Enkaoua said in a report.

So, how does this work? Apparently, the problem arises when an attacker sets up a scheduled task using Batch Logon (using a password) instead of an Interactive Token. This causes the task scheduler to hand over maximum rights to the running process.

There's a catch, though. The attacker needs to get their hands on a password first. This could involve cracking an NTLMv2 hash or exploiting other vulnerabilities, such as CVE-2023-21726.

The end result? A user with limited privileges can use schtasks.exe to impersonate powerful groups like Administrators and gain maximum privileges.

Covering Their Tracks: Log Tampering

But the vulnerabilities don't stop there. Registering a scheduled task using Batch Logon with an XML file can also open the door to defense evasion. Attackers can overwrite the Task Event Log, effectively deleting audit trails. They can even overflow Security Logs.

Imagine registering a task with an author name that's excessively long (like the letter "A" repeated thousands of times) in the XML file. This can overwrite the entire XML task log description and, potentially, even the whole "C:\Windows\System32\winevt\logs\Security.evtx" database.

A Risky Component

"The Task Scheduler is a very interesting component. Accessible by anyone willing to create a task, initiated by a SYSTEM running service, juggling between the privileges, the process integrities and user impersonations," Enkaoua noted.

He emphasizes that the first vulnerability isn't just a UAC bypass. "It is far more than that: it is essentially a way to impersonate any user with its password from CLI and to obtain the maximum granted privileges on the task execution session, with the /ru and /rp flags."