![]() Testing confirms that this technique is perfectly valid. If not, this method will fail.Īccording to this, even a low-privileged client may pass in a NULL value in place of a password, provided that: (a) the specified flag is set, and (b) the caller is not attempting to create a task that runs as the local system account. If pwszAccountName specifies the local system account, the caller must be an administrator on the local computer or an application running in the local system account. Use the IScheduledWorkItem::SetFlags method to set the flag. If you set the TASK_FLAG_RUN_ONLY_IF_LOGGED_ON flag, you may also set pwszPassword to NULL for local or domain user accounts. Set this parameter to NULL if the local system account is specified. However, in the documentation for the Task Scheduler COM API, one finds the following information regarding the password parameter (pwszPassword) of the SetAccountInformation method: For example, if malware executes with user-level privileges, it may not know the cleartext password. This somewhat limits the usability of the exploit in a real-world attack scenario. The posted exploit code requires the attacker to possess the cleartext password of the account being used for the attack. Through this, an attacker can gain full control of any local file on all versions of Windows 10. Since this file is actually a hard link, this security information will be applied to the target file. ![]() The Task Scheduler service will update the security information on the file in the preferred folder, granting ownership and full control to the attacker. Use the Task Scheduler RPC interface to migrate the task to the preferred folder. Manually place a new task with the same name into the legacy folder. Replace the file in the preferred folder with a hard link to an arbitrary target file. The essential steps of the attack are as follows: This particular combination of behaviors leaves an opening for a hard link attack. One consequence of this is that a client can manually place a file in the legacy folder, then make use of the Task Scheduler to have the task migrated to the preferred folder. ![]() The permissions on the two task folders permit all authenticated users to create files within those folders. Critically, the Task Scheduler service performs this action using its own highly-privileged SYSTEM token. I am still not certain where or how the password is actually stored for scheduled tasks but it does not appear to be stored in the registry-at least not in HKLM-which is a good thing.When saving a task file to the preferred location, the service will set security information on the file granting ownership and full control to the owner of the task. I do not know if it is simply verifying the password entered in the task at that point or if it is somehow storing (or linking) the task credentials in the SAM. The lsass.exe writes to the SAM file when a task password is updated. I can also see svchost.exe accessing the same portions of the registry, which is probably the operating system updating the Task Scheduler service (netsvcs), itself. Using Process Monitor, I can see mmc.exe accessing the "schedule" key when a task is created or modified. As a matter of fact, I see no associated changes anywhere in HKLM. However, changing solely the password of an existing user account that is used to run a scheduled task results in no apparent changes in any values below the "Schedule" key. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\Triggers HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CredWom\x-n-n-nn-nnnnnnnnnn-nnnnnnnnnn-nnnnnnnnn-nnnnn\Index HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ScheduleĬhanging the credentials (username and password) used to run a particular task results in changes to the following values: To add some additional information, it would appear that scheduled tasks are stored at the following location in the registry:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |