Bug-hunter reveals another 'make me admin' Windows 10 zero-day – and vows: 'There's more where that came from'

Updated A bug-hunter who previously disclosed Windows security flaws has publicly revealed another zero-day vulnerability in Microsoft's latest operating systems.

The discovered hole can be exploited by malware and rogue logged-in users to gain system-level privileges on Windows 10 and recent Server releases, allowing them to gain full control of the machine. No patch exists for this bug, details and exploit code for which were shared online on Tuesday for anyone to use and abuse.

The flaw was uncovered, and revealed on Microsoft-owned GitHub, funnily enough, by a pseudonymous netizen going by the handle SandboxEscaper. She has previously dropped Windows zero-days that can be exploited to delete or tamper with operating system components, elevate local privileges, and so on.

This latest one works by abusing Windows' schtasks tool, designed to run programs at scheduled times, along with quirks in the operating system.

It appears the exploit code imports a legacy job file into the Windows Task Scheduler using schtasks, creating a new task, and then deletes that new task's file from the Windows folder. Next, it creates a hard filesystem link pointing from where the new task's file was created to pci.sys, one of Windows' kernel-level driver files, and then runs the same schtasks command again. This clobbers pci.sys's access permissions so that it can be modified and overwritten by the user, thus opening the door to privileged code execution.

The exploit, as implemented, needs to know a valid username and password combo on the machine to proceed, it seems. It can be tweaked and rebuilt from its source code to target other system files, other than pci.sys.

Will Dormann, a vulnerability analyst at the CERT Coordination Center, part of the US government-funded Software Engineering Institute, confirmed the exploit works against a fully patched and up-to-date version of Windows 10, 32 and 64-bit, as well as Windows Server 2016 and 2019. Windows 8 and 7 appear unaffected by the 'sploit as it currently stands.

Here's a video of the proof-of-concept attack in action:

SandboxEscaper just released this video as well as the POC for a Windows 10 priv esc pic.twitter.com/IZZzVFOBZc

— Chase Dardaman (@CharlesDardaman) May 21, 2019

To be generous to Microsoft, privilege escalation flaws are a dime a dozen in Windows: the software giant patches them every month in its operating system.

And it will likely be patching more still – SandboxEscaper apparently has more zero-days up her sleeve aside from this latest vulnerability: "I have four more unpatched bugs where that one came from. Three LPEs [local privilege escalations], all gaining code exec as system, not lame delete bugs or whatever, and one sandbox escape," she boasted on Tuesday.

She's also rather peeved at the West and society in general, and hopes to sell some of her exploits to non-Western miscreants, though she did not specify a currency: "If any non-western people want to buy LPEs, let me know. (Windows LPE only, not doing any other research nor interested in doing so). Won't sell for less then 60k for an LPE. I don't owe society a single thing. Just want to get rich and give you fucktards in the West the middle finger."

The researcher earlier waxed lyrically about exploring trails in northern England while complaining that "human society deeply disgusts me."

Spokespeople for Microsoft declined to comment. ®

Updated to add

More technical details on the Task Scheduler exploit are now available here. Also, SandboxEscaper has released more exploits: a non-zero-day privilege escalation via the Windows Error Reporting system, and a zero-day mechanism for running malicious JavaScript in Internet Explorer 11 with high privileges that expected. There's also a system32 write bug, and another that grants user full read-write access to privileged files.