0patch released micropatch for BearLPE Zero-Day flaw in Windows 10 Task Scheduler
An unpatched local privilege escalation zero-day vulnerability in Windows 10 received a temporary patch today. The fix is delivered through the 0patch platform and can be applied on systems without rebooting them.
Exploit code is available for this zero-day flaw from researcher SandboxEscaper, who named it BearLPE when she published it ten days ago, and targets the Task Scheduler component in Windows 10.
An attacker can use this bug after they compromised the target host to take control of files that are reserved for high-privilege users such as SYSTEM and TrustedInstaller. This way, they can act with increased rights on vulnerable systems.
According to Will Dormann, a vulnerability analyst at CERT/CC, the exploit is 100% reliable on x86 systems and needs to be recompiled for x64 machines.
0patch co-founder Mitja Kolsek explains that the problem stems from legacy support of task files, which can be added to a modern system from an old one.
The video below demonstrates how the micropatch works on a vulnerable machine:
“When you run Windows XP schtasks.exe on Windows 10, legacy RPC functions are called – which in turn call the current ones, such as SchRpcSetSecurity,” Kolsek says.
He further details that “code in taskcomp.dll thread runs as Local System and its caller is the attacker. But before it calls SchRpcSetSecurity, it doesn’t impersonate the caller – it impersonates “self” to enable the SeRestorePrivilege privilege (needed for changing file permissions).”
The outcome is that the request does not come from the limited user but from Local System, which has elevated privileges on the machine and thus can control sensitive files.
The micropatch runs the corrective instructions in memory and prevents changing the set of permissions a normal user has over a system file.
All existing 0patch users already have the fix running on their machines. To get it, you need to create an account and install the 0patch agent.
At the moment it is available for Windows 10 v1809 32bit, Windows 10 v1809 64bit, and Windows Server 2019 but it will be available for other versions. Paying customers can make a request for porting the patch for other platforms by emailing the 0patch support address.