January 2023 Windows Updates brought a fix for CVE-2023-21541, a local privilege elevation in Task Scheduler. The vulnerability was reported to Microsoft by Ben Lincoln of Bishop Fox.
In April, Ben published a detailed analysis of this issue, which allowed us to reproduce the issue and create a micropatch for Windows computer that haven't received an official fix from Microsoft.
The
vulnerability is easy to understand: if a scheduled task contains an environment variable in its executable path, expansion of this variable may result in double quotes around the path being lost, which could then lead to the "unquoted path" vulnerability.
On the other hand, the issue is not so easy to exploit, assuming that the local attacker does not have administrative privileges (why would they need a local privilege elevation vulnerability if they did?). The first condition is that a scheduled task must already exist on the system whose path to the executable contains an environment variable, and the second condition is that the attacker is able to create a malicious executable called program.exe in the root of C: drive. The latter is, by default, only allowed for administrators and system, so the computer would have to be in some custom configuration.
Nevertheless, we decided to patch this, since at least a couple of our users may have both these conditions fulfilled. While
still-supported Windows systems have already received the official
vendor fix for this vulnerability, there are Windows systems out there
that aren't receiving security fixes from Microsoft anymore. In order to
protect these systems, we have created our own micropatches for this
vulnerability, which are available through the 0patch service.
Our patch is functionally similar to Microsoft's, but in our case applying the patch doesn't require a restart of the Task Scheduler service (while Microsoft's does).
Micropatch Availability
The micropatch was written for the following security-adopted versions of Windows with all available Windows Updates installed:
- Windows 10 v2004
- Windows 10 v1909
- Windows 10 v1809
-
Windows 10 v1803
This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that).
Vulnerabilities like this one get discovered on a regular basis, and
attackers know about them all. If you're using Windows that aren't
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won't be exploited on your computers - and you won't
even have to know or care about these things.
If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email [email protected] for a trial. Everything else will happen automatically. No computer reboot will be needed.
To learn more about 0patch, please visit our Help Center.
We’d like to thank Ben Lincoln of Bishop Fox for sharing their analysis, which allowed us to
create a micropatch and protect our users against this attack. We also
encourage all security researchers to privately share their analyses
with us
for micropatching.
Article Link: 0patch Blog: Micropatches Released For Windows Task Scheduler Elevation of Privilege (CVE-2023-21541)