Microsoft Task Scheduler ALPC Exploit

Most times when security researchers need to disclose a vulnerability, they let the company know and wait for them to fix it. @SandboxEscaper did not do that…

It is a privilege escalation exploit that affects basically every version of Windows that runs Windows Task Scheduler. The best part: it has no patch yet.

What is the flaw?

The Task Scheduler API function doesn’t check permissions. AT ALL. The function SchRpcSetSecurity (more info) can be misused to alter permissions. A hard link can be created to call a print job using the XPS service and inject a malicious DLL as the System user. All this gets spawned using the print spooling process (spoolsv.exe).

Image credit: Kevin Beaumont

What does that mean?

Basically, this exploit tricks your computer into thinking its printing something, but then runs some code instead.

How do we fix it?

Wait for Microsoft to fix it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.