By 
Just a week after Microsoft’s monthly cycle of security updates, Exploit developer SandboxEscaper has silently released a new zero-day exploit for the Windows operating system.
This exploit, the fifth in a string that began in late August last year, attains local privilege appreciation, yielding a limited user full control over files earmarked for full-privilege users like SYSTEM and TrustedInstaller.
Once again, SandboxEscaper fixated on the Task Scheduler utility and uses it to import legacy tasks from other systems. In the days of Windows XP, tasks were in the .JOB format and they can still be added to newer versions of the operating system.
The researcher explains that the virus is utilizable by importing legacy task files into the Task Scheduler on Windows 10. Running a command using executables ‘schtasks.exe’ and ‘schedsvc.dll’ copied from the old system leads to a distant process call (RPC) to “_SchRpcRegisterTask” – a technique that records a task with the server, unprotected by the Task Scheduler service.
“I assume that to trigger this bug you can just call into this function directly without using that schtasks.exe copied from windows xp.. but I am not great at reversing,” said SandboxEscaper.
She went on to say that what begins with inadequate freedoms ends up with SYSTEM rights when a specific function is met. To prove the cogency of her work, she shared a video showing the PoC in action on Windows x86.
Will Dormann, a flaw analyst at CERT/CC, elucidates the explanations by saying that the proof-of-concept code from SandboxEscaper exploits a flaw in Windows 10 Task Scheduler “where it sets SetSecurityInfo() on a legacy imported task.”
“The exploit calls the code once, deletes the file, and then calls it again with an NTFS hard link pointing to the file that gets permissions clobbered with SetSecurityInfo(),” the security professional told BleepingComputer.
Dormann verified the exploit code and established that it works without any alteration on a repaired Windows 10 x86 system, with 100% success rate.
The only versions of the operating system where Dormann could not replicate SandboxEscaper’s code were Windows 8 and 7.
The developer declared on her blog that she has another four unidentified zero-day bugs. Three of them being local privilege escalation flaws leading to code execution and fourth that is a sandbox escape.
