A security researcher has publicly disclosed the details of a zero-day vulnerability in Microsoft Windows operating system. It’s a privilege escalation vulnerability, which resides in the Windows task scheduler program and occurred due to errors in the handling of Advanced Local Procedure Call (ALPC) systems. The ALPC interface is a Windows-internal mechanism that works as an inter-process communication system. ALPC enables a client process running within the OS to ask a server process running within the same OS to provide some information or perform some action.
The researcher has also released a proof-of-concept (PoC) code, which exploits the ALPC interface to gain SYSTEM access on a Windows system.
Currently public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. Other Windows versions may be affected with little modification of the exploit source code.
According to the researcher,
_SchRpcSetSecurity which is part of the task scheduler ALPC endpoint allows us to set an arbitrary DACL. It will Set the security of a file in c:\windows\tasks without impersonating, a non-admin (works from Guest too) user can write here. Before the task scheduler writes the DACL we can create a hard link to any file we have read access over. This will result in an arbitrary DACL write. This PoC will overwrite a printer related dll and use it as a hijacking vector. This is of course one of many options to abuse this.
Successful exploitation would get a process spawned under the Print Spooler service (spoolsv.exe) calls cmd.exe, which spawns connhost.exe, which in turn spawns a random process.
Qualys customers can scan their network with QID#371164 to detect vulnerable targets. CERT/CC has confirmed the vulnerability and issued an official advisory VU#906424 for this. Please continue to follow Qualys Threat Protection for more information on this vulnerability.