Microsoft Windows Task Scheduler Privilege Escalation Vulnerability (Zero Day)

A security researcher has publicly disclosed the details of a zero-day vulnerability in Microsoft Windows operating system. It’s a privilege escalation vulnerability, which resides in the Windows task scheduler program and occurred due to errors in the handling of Advanced Local Procedure Call (ALPC) systems. The ALPC interface is a Windows-internal mechanism that works as an inter-process communication system. ALPC enables a client process running within the OS to ask a server process running within the same OS to provide some information or perform some action.
The researcher has also released a proof-of-concept (PoC) code, which exploits the ALPC interface to gain SYSTEM access on a Windows system.

Affected systems:

Currently public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. Other Windows versions may be affected with little modification of the exploit source code.

Vulnerability Cause:

According to the researcher,

_SchRpcSetSecurity which is part of the task scheduler ALPC endpoint allows us to set an arbitrary DACL. It will Set the security of a file in c:\windows\tasks without impersonating, a non-admin (works from Guest too) user can write here. Before the task scheduler writes the DACL we can create a hard link to any file we have read access over. This will result in an arbitrary DACL write.
This PoC will overwrite a printer related dll and use it as a hijacking vector. This is of course one of many options to abuse this.

Successful exploitation would get a process spawned under the Print Spooler service (spoolsv.exe) calls cmd.exe, which spawns connhost.exe, which in turn spawns a random process.


Qualys customers can scan their network with QID#371164 to detect vulnerable targets. CERT/CC has confirmed the vulnerability and issued an official advisory VU#906424 for this. Please continue to follow Qualys Threat Protection for more information on this vulnerability.

Update: The vulnerability is tracked via CVE-2018-8440 .Microsoft has released patches to address this vulnerability.


Leave a Reply

Your email address will not be published. Required fields are marked *