Cybersecurity Insurance Checklist - Meet Insurance Requirements with BeyondTrust PAM Download for Free

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Path of enlightenment part 2 – Taking tasks to task

October 20, 2017

  • Blog
  • Archive

As discussed in my last blog the issue of unquoted paths for services has been around for over 15 years. Despite this there is another potential privilege escalation with unquoted paths which doesn't get as much coverage, these are Scheduled Tasks.

A scheduled task is a feature of Windows to automate tasks that perform actions at a specific time or when a certain event occurs. Windows by default has numerous scheduled tasks which you can see using the command line tool, schtasks. For example the following command will list all the scheduled tasks on your machine:-

schtasks /query /fo LIST /v

As you can see there is a lot! We will drill down and take a look at one of the common tasks.

schtasks /query /fo LIST /v /tn Microsoft\Windows\Defrag\ScheduledDefrag


Folder: Microsoft\Windows\Defrag
HostName: CHARLIESPC
TaskName: Microsoft\Windows\Defrag\ScheduledDefrag
Next Run Time: N/A
Logon Mode: Interactive/Background
Task To Run: %windir%\system32\defrag.exe -c -h -o -$
Scheduled Task State: Enabled
Run As User: SYSTEM
Schedule Type: On demand only

As you can see, the task runs the defrag tool as SYSTEM. This means that tasks are like services in that they can run with the same all-powerful SYSTEM privilege. Wouldn't it be bad if scheduled tasks suffer from the same privilege escalation vulnerability as services? Well, unfortunately they do!

Many third party vendors use tasks to perform scheduled actions, like checking for software updates or upload of usage telemetry data. If a scheduled task runs a program with a path that contains spaces, then this is potentially vulnerable. Let's look at a hypothetical example:-

HostName: CHARLIESPC
TaskName: \OctaveUpdaterTask
Next Run Time: 06/11/2015 03:00:44
Logon Mode: Interactive/Background
Task To Run: C:\Program Files\Octave Corp\OctaveUpdater.exe
Scheduled Task State: Enabled
Run As User: SYSTEM
Schedule Type: Daily
Days: Every 1 day(s)

In this example, the Octave Corporation as part of its product has created a daily scheduled task to run a program which checks for any software updates. The OctaveUpdater program runs from a path that contains spaces, so is potentially vulnerable to privilege escalation as it runs as SYSTEM.

I say it is potentially vulnerable as it depends if the vendor has followed good security principles on their folders. Let’s consider the likely points of exploitation:-

  1. C:\Program.exe
  2. C:\Program Files\Octave.exe
  3. C:\Program Files\Octave Corp\

We can check the security of each potentially vulnerable folder by using Windows' icacls tool:-

icacls C:\

BUILTIN\Administrators:(OI)(CI)(F) - Full control
NT AUTHORITY\SYSTEM:(OI)(CI)(F) - Full control
BUILTIN\Users:(OI)(CI)(RX) - Read & Execute
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M) - Modify, subfolders and files
NT AUTHORITY\Authenticated Users:(AD) - Add directory, this folder only
Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)

If the user is an administrator they would be able to drop a malicious program called Program.exe in the root of C: but as a standard user they would only be able to create folders in the root of the drive therefore not exploitable. So let's move along to potentially vulnerable path #2. If we run icacls on C:\Program Files, we'll see a similar story where admins have full control and users with standard user rights can only read or execute folders and files respectively. Let's carry on to look at vulnerable path #3:-

icacls C:\Program Files\Octave Corp

NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(M)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)

We see that the vendor changed the default Windows security of the Octave Corp folder by adding an extra security setting giving all users modify rights. This means that a malicious program could replace the OctaveUpdater.exe in the Octave Corp folder. And at 3am every day, bad stuff happens!

The same recommendations to mitigate privilege escalation for services also hold true for Scheduled Tasks.

For software vendors:

  • ALWAYS quote paths for scheduled tasks
  • AVOID running scheduled tasks from folders that user has full access to
  • DO NOT weaken the default security that Windows has put in place.

For businesses:

Ensure all users run as a standard user. The benefits of this include:-

  • Malware running as a standard user cannot drop programs in folders like C:\Program Files or the Windows system folder
  • Service and scheduled tasks cannot be created that use SYSTEM or other privileged accounts
  • Perform a security audit of services and scheduled tasks on machines to check for vulnerable paths
  • If you have an application allow listing solution, ensure trusted owner and publisher is being employed.

Is this a challenge you’re currently experiencing? I’d love to hear your thoughts.

Until next time….take tasks to task!

John Goodridge,

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Microsoft Vulnerabilities Report 2021

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.