Zero-day vulnerability in Windows

Privilege escalation
CVE-2018-8440

A privilege escalation vulnerability was first publicly disclosed on Twitter on August 27, 2018. It was successful incorporated into malware used by the PowerPool group, reported by ESET.
The vulnerability was dubbed SendboxEscaper by its author.

Vulnerability details

Advisory: SB2018082901 - Privilege escalation in Microsoft Windows

Vulnerable component: Windows

CVE-ID: CVE-2018-8440

CVSSv3 score: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description:

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to ALPC access control flaw. A local attacker can create a hard link from a readable file on the system to a '.job' file in the 'c:\windows\tasks' directory, invoke the _SchRpcSetSecurity() method of the task scheduler service ALPC endpoint to overwrite the linked file and gain system level privileges on the target system. The vulnerability was dubbed "SendboxEscaper".

Note: the vulnerability is being exploited in the wild by the PowerPool group.

Latest references in media:

- Microsoft September Patch Fixed 61 Vulnerabilities Including A Zero-Day [2018-09-16 16:30:48]

- Update now! Microsoft’s September 2018 Patch Tuesday is here [2018-09-13 12:00:13]

- Update now! Microsoft’s September 2018 Patch Tuesday is here [2018-09-13 11:51:20]

- Patch Tuesday, September 2018 [2018-09-12 23:11:04]

- Microsoft September 2018 Patch Tuesday Fixes 16 Critical Vulnerabilities [2018-09-12 16:40:20]

- Admins Urged to Patch Four Publicly Disclosed Bugs [2018-09-12 11:20:06]

- September 2018 Patch Tuesday: Microsoft fixes actively exploited zero-day [2018-09-12 11:11:23]

- September 2018 Patch Tuesday: Microsoft fixes actively exploited zero-day [2018-09-12 11:10:09]

- Microsoft Patch Tuesday updates for September 2018 also address recently disclosed Windows zero-day [2018-09-12 09:10:08]

- September Patch Tuesday: Windows Fixes ALPC Elevation of Privilege, Remote Code Execution Vulnerabilities [2018-09-12 09:00:15]

- Patch Tuesday, September 2018 [2018-09-12 07:11:03]

- Microsoft Released Security Updates with the Patch for 62 Vulnerabilities [2018-09-12 06:20:52]

- It's September of 2018, and Windows VMs can pwn their host servers by launching an app [2018-09-12 00:50:01]

- Microsoft September 2018 Patch Tuesday Fixes 17 Critical Vulnerabilities [2018-09-12 00:00:26]

- Microsoft Patches 61 Vulns, One Under Active Attack [2018-09-11 23:31:04]

- Microsoft Patches 61 Vulns, One Under Active Attack - Dark Reading [2018-09-11 23:20:08]

- Patch Tuesday, September 2018 Edition [2018-09-11 23:10:18]

- Patch Tuesday, September 2018 Edition [2018-09-11 23:01:28]

- Microsoft patches recent ALPC zero-day in September 2018 Patch Tuesday updates | ZDNet [2018-09-11 22:40:10]

- Microsoft Patches Windows Zero-Day Disclosed via Twitter [2018-09-11 22:00:12]

- Microsoft Has Released Software Updates for 17 Critical Vulnerabilities, Including 4 Publicly Disclosed Flaw. [2018-09-11 20:50:07]

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.