Cybersecurity researchers described in detail four different vulnerabilities mainly Windows components Task Planning Service This can be used by local attackers to escalate privileges and erasing magazines to cover evidence of malicious activity.
Problems have been identified in binary specified “Schtasks.exe“Which allows the administrator to create, remove, request, change, work and conclude planned tasks on a local or remote computer.
“A (Managing User Account) vulnerability was found in Microsoft Windows, allowing the attackers to bypass the user account control, allowing them to perform highly accelerated (system) teams without approval – Note In a report that shared with Hacker News.
“Using this weakness, attackers can raise their privileges and launch harmful useful loads with administrators, which will lead to unauthorized access, data theft or further systemic compromises.”
The problem, according to the cybersecurity campaign, arises when the attacker creates a planned task using a batch login (ie password) Unlike the interactive token, resulting in the task planner for granted the process of launching the most permitted rights.
However, in order for this attack to work, it depends on the actor threats, acquiring the password through some other means, such as Cve-2023-21726.
The pure result of this issue is that a low -privilege user can use binary Schtasks.exe and expose themselves to member groups as administrators, backup operators and performance logs with a well -known password.
Registration of the planned task using a package authentication method with the XML file can also pave the way for two methods of evading protection that allows you to overwrite Journal of the event of the taskEffectively erasing the audit traces of the previous activity, as well as overwhelming safety magazines.
In particular, this provides for a task registration with author With the title, say where the letter A is repeated 3500 times, in the XML file, causing the whole description of the XML magazine to be overwhelmed. This behavior can be extended further to overwrite the whole ‘C: \ Windows \ System32 \ winevt \ logs \Security.evtx‘Database.
“The task planner is a very interesting component. Anyone who is ready to create a task initiated by a system that works between the privileges, the integrity of the processes and tasks of users,” said Enkaua.
“The first registered vulnerability is not only the UAC bypass. It is much more: it is, in fact, a way to bring yourself for any user with your CLI password and get the most granted privileges at the task session, with flags /ru and /rp.
