Cybersecurity researchers have detailed four different vulnerabilities in a core component of the Windows task scheduling service that could be exploited by local attackers to achieve privilege escalation and erase logs to cover up evidence of malicious activities.
The issues have been uncovered in a binary named “schtasks.exe,” which enables an administrator to create, delete, query, change, run, and end scheduled tasks on a local or remote computer.
“A [User Account Control] bypass vulnerability has been found in Microsoft Windows, enabling attackers to bypass the User Account Control prompt, allowing them to execute high-privilege (SYSTEM) commands without user approval,” Cymulate security researcher Ruben Enkaoua said in a report shared with The Hacker News.
“By exploiting this weakness, attackers can elevate their privileges and run malicious payloads with Administrators’ rights, leading to unauthorized access, data theft, or further system compromise.”
The problem, the cybersecurity company said, occurs when an attacker creates a scheduled task using Batch Logon (i.e., a password) as opposed to an Interactive Token, causing the task scheduler service to grant the running process the maximum allowed rights.
However, for this attack to work, it hinges on the threat actor acquiring the password through some other means, such as cracking an NTLMv2 hash after authenticating against an SMB server or exploiting flaws such as CVE-2023-21726.
A net result of this issue is that a low-privileged user can leverage the schtasks.exe binary and impersonate a member of groups such as Administrators, Backup Operators, and Performance Log Users with a known password to obtain the maximum allowed privileges.
The registration of a scheduled task using a Batch Logon authentication method with an XML file can also pave the way for two defense evasion techniques that make it possible to overwrite Task Event Log, effectively erasing audit trails of prior activity, as well as overflow Security Logs.
Specifically, this involves registering a task with an author with the name, say, where the letter A is repeated 3,500 times, in the XML file, causing the entire XML task log description to be overwritten. This behavior could then be extended further to overwrite the whole “C:\Windows\System32\winevt\logs\Security.evtx” database.
“The Task Scheduler is a very interesting component. Accessible by anyone willing to create a task, initiated by a SYSTEM running service, juggling between the privileges, the process integrities and user impersonations,” Enkaoua said.
“The first reported vulnerability is not only a UAC Bypass. It is far more than that: it is essentially a way to impersonate any user with its password from CLI and to obtain the maximum granted privileges on the task execution session, with the /ru and /rp flags.”
