Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                       Vulnerability Note VU#906424
                              30 August 2018


        AusCERT Security Bulletin Summary

Product:           Microsoft Windows Task Scheduler
Operating System:  Windows
Impact/Access:     Administrator Compromise -- Existing Account
Resolution:        None

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#906424

Microsoft Windows task scheduler contains a local privilege escalation
vulnerability in the ALPC interface

Original Release date: 27 Aug 2018 | Last revised: 29 Aug 2018


Microsoft Windows task scheduler contains a local privilege escalation
vulnerability in the Advanced Local Procedure Call (ALPC) interface, which can
allow a local user to obtain SYSTEM privileges.


The Microsoft Windows task scheduler SchRpcSetSecurity API contains a
vulnerability in the handling of ALPC, which can allow a local user to gain
SYSTEM privileges. We have confirmed that the public exploit code works on
64-bit Windows 10 and Windows Server 2016 systems. We have also confirmed
compatibility with 32-bit Windows 10 with minor modifications to the public
exploit code. Compatibility with other Windows versions is possible with
further modifications.


A local user may be able to gain elevated (SYSTEM) privileges.


The CERT/CC is currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

 Vendor    Status  Date Notified Date Updated
Microsoft Affected 27 Aug 2018   27 Aug 2018

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

    Group     Score            Vector
Base          6.8   AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal      6.5   E:F/RL:U/RC:C
Environmental 6.4   CDP:ND/TD:H/CR:ND/IR:ND/AR:ND


  o https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar
  o https://doublepulsar.com/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f
  o https://msdn.microsoft.com/en-us/library/cc248452.aspx


This issue was publicly disclosed by SandboxEscaper.

This document was written by Will Dormann.

Other Information

  o CVE IDs: Unknown
  o Date Public: 27 Aug 2018
  o Date First Published: 27 Aug 2018
  o Date Last Updated: 29 Aug 2018
  o Document Revision: 23


If you have feedback, comments, or additional information about this
vulnerability, please send us email.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967