SB2018082901 - Privilege escalation in Microsoft Windows
Published: August 29, 2018 Updated: September 11, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Privilege escalation (CVE-ID: CVE-2018-8440)
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to ALPC access control flaw. A local attacker can create a hard link from a readable file on the system to a '.job' file in the 'c:\windows\tasks' directory, invoke the _SchRpcSetSecurity() method of the task scheduler service ALPC endpoint to overwrite the linked file and gain system level privileges on the target system. The vulnerability was dubbed "SendboxEscaper".
Note: the vulnerability is being exploited in the wild by the PowerPool group.
Remediation
Install update from vendor's website.
References
- https://twitter.com/SandboxEscaper/status/1034125195148255235
- https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar
- https://www.kb.cert.org/vuls/id/906424
- https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440