As discussed in my last blog the issue of unquoted paths for services has been around for over 15 years. Despite this there is another potential privilege escalation with unquoted paths which doesn't get as much coverage, these are Scheduled Tasks.
A scheduled task is a feature of Windows to automate tasks that perform actions at a specific time or when a certain event occurs. Windows by default has numerous scheduled tasks which you can see using the command line tool, schtasks. For example the following command will list all the scheduled tasks on your machine:-
schtasks /query /fo LIST /v
As you can see there is a lot! We will drill down and take a look at one of the common tasks.
schtasks /query /fo LIST /v /tn Microsoft\Windows\Defrag\ScheduledDefrag
Folder: Microsoft\Windows\Defrag
HostName: CHARLIESPC
TaskName: Microsoft\Windows\Defrag\ScheduledDefrag
Next Run Time: N/A
Logon Mode: Interactive/Background
Task To Run: %windir%\system32\defrag.exe -c -h -o -$
Scheduled Task State: Enabled
Run As User: SYSTEM
Schedule Type: On demand only
As you can see, the task runs the defrag tool as SYSTEM. This means that tasks are like services in that they can run with the same all-powerful SYSTEM privilege. Wouldn't it be bad if scheduled tasks suffer from the same privilege escalation vulnerability as services? Well, unfortunately they do!
Many third party vendors use tasks to perform scheduled actions, like checking for software updates or upload of usage telemetry data. If a scheduled task runs a program with a path that contains spaces, then this is potentially vulnerable. Let's look at a hypothetical example:-
HostName: CHARLIESPC
TaskName: \OctaveUpdaterTask
Next Run Time: 06/11/2015 03:00:44
Logon Mode: Interactive/Background
Task To Run: C:\Program Files\Octave Corp\OctaveUpdater.exe
Scheduled Task State: Enabled
Run As User: SYSTEM
Schedule Type: Daily
Days: Every 1 day(s)
In this example, the Octave Corporation as part of its product has created a daily scheduled task to run a program which checks for any software updates. The OctaveUpdater program runs from a path that contains spaces, so is potentially vulnerable to privilege escalation as it runs as SYSTEM.
I say it is potentially vulnerable as it depends if the vendor has followed good security principles on their folders. Let’s consider the likely points of exploitation:-
- C:\Program.exe
- C:\Program Files\Octave.exe
- C:\Program Files\Octave Corp\
We can check the security of each potentially vulnerable folder by using Windows' icacls tool:-
icacls C:\
BUILTIN\Administrators:(OI)(CI)(F) - Full control
NT AUTHORITY\SYSTEM:(OI)(CI)(F) - Full control
BUILTIN\Users:(OI)(CI)(RX) - Read & Execute
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M) - Modify, subfolders and files
NT AUTHORITY\Authenticated Users:(AD) - Add directory, this folder only
Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
If the user is an administrator they would be able to drop a malicious program called Program.exe in the root of C: but as a standard user they would only be able to create folders in the root of the drive therefore not exploitable. So let's move along to potentially vulnerable path #2. If we run icacls on C:\Program Files, we'll see a similar story where admins have full control and users with standard user rights can only read or execute folders and files respectively. Let's carry on to look at vulnerable path #3:-
icacls C:\Program Files\Octave Corp
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(M)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
We see that the vendor changed the default Windows security of the Octave Corp folder by adding an extra security setting giving all users modify rights. This means that a malicious program could replace the OctaveUpdater.exe in the Octave Corp folder. And at 3am every day, bad stuff happens!
The same recommendations to mitigate privilege escalation for services also hold true for Scheduled Tasks.
For software vendors:
- ALWAYS quote paths for scheduled tasks
- AVOID running scheduled tasks from folders that user has full access to
- DO NOT weaken the default security that Windows has put in place.
For businesses:
Ensure all users run as a standard user. The benefits of this include:-
- Malware running as a standard user cannot drop programs in folders like C:\Program Files or the Windows system folder
- Service and scheduled tasks cannot be created that use SYSTEM or other privileged accounts
- Perform a security audit of services and scheduled tasks on machines to check for vulnerable paths
- If you have an application allow listing solution, ensure trusted owner and publisher is being employed.
Is this a challenge you’re currently experiencing? I’d love to hear your thoughts.
Until next time….take tasks to task!
