Vulnerability Note VU#906424 Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the ALPC interface Link: https://www.kb.cert.org/vuls/id/906424
Microsoft obliquely acknowledges Windows 0-day bug published on Twitter https://arstechnica.com/gadgets/201...edges-windows-0-day-bug-published-on-twitter/
Update: I've moved the old text into a spoiler though I was tempted to just delete it and save myself some embarrassment but I decided to keep it here as a reminder to not drunk post, let alone drunk test! I was so completely wrong in my drunken assumption (now found in the spoiler) about why it wouldn't work on my PC. It turns out it was actually due to the removal of Printing related components, including spoolsv, with NTLite and not the Service Hardening I was going on about. /me slaps self Feel free to read my drunken ramblings from the night before and send me a slap of your own! I deserve it. Spoiler I have read in 'some' related articles across other 'web sites' where they are saying there is still no known workaround to this exploit and we must all wait (hope) for a quick MS patch. That is so laughably sad.... My system already seems to be "Immune to the PoC" (perhaps only the current form?) when tested in a VM. I'd like to think it is actually thanks to the custom Security Template I have in place for Services including "Schedule", among others and my 'very limited tests' so far back this hope up. They are much more limiting as to who can read anything, let alone Start/Stop/Pause or Write, to anything related to the service (among others) which is specifically designed to aid in preventing Admin 'mistakes'. Once an app is started as a Limited User, via GP/UAC at least, it can't even try to leave. That being said my setup is *rather unique* (as the sole user on my system) and I actually run using the "laughable" (according to 'acceptable' security standards) situation of running as Admin via "High Integrity" (Super/Built-In Admin) and simply starting non System/Security software as separate Standard Users pushed into 'hopefully inescapable boxes' with Medium Integrity and some choice GP rules via scripts. Starting with a High Integrity Admin allows me to also place abnormal restrictions on certain files/reg entries for Limited/Standard "Medium" Users/Authenticated Users that wouldn't be possible if the Admin in question (me) ran as a normal User 'until' asking for authentication. It'd also preclude me from blocking elevation via a UAC prompt... It would only be fair that I also append some other aspects I use (eg Path/User whitelisting and Write Filters) in my setup here so you don't think I'm relying on only a bit of "Service Hardening" for my protection. I suppose I should also deign to introduce my other best-friends, named MemProtect and Pumpernickel via https://excubits.com, as they help me take care of "pretty much everything" else I need to with this setup. I ran the PoC vs my default install (in a VM actually many months old-with no excubits drivers active) and it still could not escalate to system even when running from an Admin account. On a 'virgin' install it could escalate as advertised. My point is, there is actually no need to JUST wait & hope for MS to fix this for you *soon*. There is already a way to workaround this that is readily available by just making use of custom ACE/SSDLs. It's not the fault of MS that these service rights haven't been narrowed to the true minimum [cough, ok so maybe it is?]. I suspect if THEY did limit more, it'd just be used against them. =( I'd likley have been one of those people hoping to use it if I hadn't considered and made the policy in question myself as it requires a bit more knowledge and time to make changes when used! That all said, I didn't really take the time to do anything other then test the PoC as it was when downloaded and read a few articles. None of that makes me qualified to truely judge any part of it. Maybe it was only the beer I had in each hand that made me feel entitled to buck you all. So yeah, I'm here annoying everyone just because of the cans and waiting for people to say no you "can'tz" just fix it with an ace up your sleeve. I have not, however, tested how useful such changes might have been under 'expected' user scenarios. Nor have I debugged or otherwise stepped through the PoC at this stage to see if could be easily tweaked to work on my system as well. Instead I deigned to post with pride and plan to hold my head high hoping for a quick decapitation so I can cry 'FAKE NEWS"!
Temporary Patch Available for Recent Windows Task Scheduler ALPC Zero-Day https://www.bleepingcomputer.com/ne...-recent-windows-task-scheduler-alpc-zero-day/
PowerPool malware exploits ALPC LPE zero-day vulnerability Malware from newly uncovered group PowerPool exploits zero-day vulnerability in the wild, only two days after its disclosure September 5, 2018 https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/
The Windows ALPC security hole CVE-2018-8440 is now readily exploitable September 22, 2018 https://www.askwoody.com/2018/the-w...ole-cve-2018-8440-is-now-readily-exploitable/
Microsoft Windows zero-day disclosed on Twitter, again Zero-day impacts Windows 10, Server 2016, and Server 2019 only October 23, 2018 https://www.zdnet.com/article/microsoft-windows-zero-day-disclosed-on-twitter-again/
James Forshaw (Google Project Zero and Chrome sandbox wizard) just did a nice follow up blog on this. A much easier way for researchers to write PoC for this attack. Twitter link: https://twitter.com/tiraniddo/status/1064236215342428160 Blog link: https://tyranidslair.blogspot.com/2018/11/finding-windows-rpc-client.html
Windows Zero-Day PoC Lets You Read Any File with System Level Access December 20, 2018 https://www.bleepingcomputer.com/ne...s-you-read-any-file-with-system-level-access/
Windows Zero-Day Bug Allows Overwriting Files with Arbitrary Data December 30, 2018 https://www.bleepingcomputer.com/ne...allows-overwriting-files-with-arbitrary-data/
Tale of a Windows Error Reporting Zero-Day (CVE-2019-0863) July 2, 2019 https://unit42.paloaltonetworks.com/tale-of-a-windows-error-reporting-zero-day-cve-2019-0863/
Thanks for the heads up. So it looks like this was patched in May of this year? https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0863
Doesn't really matter, attacks in the wild are never gonna get to you if you don't download random stuff. You could use windows 2000 and as long as you had a decent browser and ublock origin you'd be fine (I'm pro-no security software, btw)
