Privilege escalation in Microsoft Windows



Published: 2018-08-29 | Updated: 2018-09-11
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-8440
CWE ID CWE-264
Exploitation vector Local
Public exploit This vulnerability is being exploited in the wild.
Vulnerable software
Subscribe
Windows
Operating systems & Components / Operating system

Windows Server
Operating systems & Components / Operating system

Vendor Microsoft

Security Advisory

Update 29.08.2018

- fixed CVSSv3 metrics to include PoC code availability
- changed list of affected software

Update 06.09.2018

Added information about in the wild exploitation of the vulnerability by the PowerPool group, changed severity level to medium. This vulnerability is now considered a zero-day.

Update 11.09.2018

Microsoft has issued security patch to address this vulnerability.

1) Privilege escalation

Risk: Medium

CVSSv3: 7.5 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-8440

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to ALPC access control flaw. A local attacker can create a hard link from a readable file on the system to a '.job' file in the 'c:\windows\tasks' directory, invoke the _SchRpcSetSecurity() method of the task scheduler service ALPC endpoint to overwrite the linked file and gain system level privileges on the target system. The vulnerability was dubbed "SendboxEscaper".

Note: the vulnerability is being exploited in the wild by the PowerPool group.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Windows: 7, 8.1, 10, RT 8.1

Windows Server: 2008, 2008 R2, 2012, 2012 R2, 2016

CPE External links

https://twitter.com/SandboxEscaper/status/1034125195148255235
https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar
https://www.kb.cert.org/vuls/id/906424
https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.