Zero-day vulnerabilitiy found in Microsoft's task scheduler
A zero-day vulnerability was in Microsoft's Windows task scheduler that could enable hackers to gain elevated privileges. The vulnerability does not yet have a patch yet. The flaw is in the Advanced Local Procedure Call ( ALPC ) interface of Microsoft Windows task scheduler in 64-bit operating systems such as Windows 10 and Server 2016. The API does not check permissions, so that any hacker can alter them. The Computer Emergency Readiness Team ( CERT ) has confirmed the flaw can be exploited on Windows 10 and Windows Server 2016 in their recently released report.
Microsoft Task scheduler is a function of Microsoft Windows that enable users to schedule programs at pre-determined times. Its ALPC interface is a process communication facility used by Windows OS components for message transferring. One part of this interface, SchRpcSetSecurity is open for access, so anyone can set local file permissions. This flaw leverages SchRpcSetSecurity to alter permissions to create a hard link and then calls a print job using XPS printer ( installed with Windows XP Service Pack 2+ ) to call the hijack DLL as SYSTEM via the Spooler process. In order to gain elevated privileges, a hacker would need to be local and exploitation needs prior code execution. The exploit would also need need modifications to work on OSes other than 64-bit. It also hard-codes prnms003 driver, which doesn't exist on Windows 7.
Currently, there is no patch for this vulnerability and CERT isn't aware of a solution to this problem as of today. A patch may be part of Microsoft's regularly scheduled Patch Tueday's release in September 11. In the meantime, you can use Microsoft's Sysmon to look for abnormal processes being spawned from spoolsv.exe. Also look for abnormal prcesseses spawned by connhost.exe ( Task Scheduler ).