Zero-day vulnerability in Windows

Privilege escalation

A privilege escalation vulnerability was first publicly disclosed on Twitter on August 27, 2018. It was successful incorporated into malware used by the PowerPool group, reported by ESET.
The vulnerability was dubbed SendboxEscaper by its author.

Vulnerability details

Advisory: SB2018082901 - Privilege escalation in Microsoft Windows

Vulnerable component: Windows

CVE-ID: CVE-2018-8440

CVSSv3 score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls


The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to ALPC access control flaw. A local attacker can create a hard link from a readable file on the system to a '.job' file in the 'c:\windows\tasks' directory, invoke the _SchRpcSetSecurity() method of the task scheduler service ALPC endpoint to overwrite the linked file and gain system level privileges on the target system. The vulnerability was dubbed "SendboxEscaper".

Note: the vulnerability is being exploited in the wild by the PowerPool group.