Here's the exploit description from the writeup .doc file that is included in the .rar file that's hosted on GitHub:
The task scheduler service has an alpc endpoint, supporting the method “SchRpcSetSecurity”.
The prototype looks like this:
long _SchRpcSetSecurity(
[in][string] wchar_t* arg_1, //Task name
[in][string] wchar_t* arg_2, //Security Descriptor string
[in]long arg_3);
Tasks created by the task scheduler will create a corresponding folder/file in c:\windows\system32\tasks.
This function seems to be designed to write the DACL of tasks located there, and will do so while impersonating.
However, for some reason it will also check if a .job file exists under c:\windows\tasks and try to set the DACL
while not impersonating.
Since a user, and even a user belonging to the guests group can create files in this folder, we can simply create
a hardlink to another file (all we need is read access).
Because of the hardlink, we can let the task scheduler write an arbitrary DACL
(see second parameter of SchRpcSetSecurity) to a file of our choosing.
So any file that we have read access over as a user and that system has the write DACL permission for,
we can pivot into full control and overwrite it.
> The task scheduler service has an alpc endpoint, supporting the method “SchRpcSetSecurity”. The prototype looks like this:
long _SchRpcSetSecurity(
[in][string] wchar_t* arg_1, //Task name
[in][string] wchar_t* arg_2, //Security Descriptor string
[in]long arg_3);
> Tasks created by the task scheduler will create a corresponding folder/file in c:\windows\system32\tasks. This function seems to be designed to write the DACL of tasks located there, and will do so while impersonating.
> However, for some reason it will also check if a .job file exists under c:\windows\tasks and try to set the DACL while not impersonating.
> Since a user, and even a user belonging to the guests group can create files in this folder, we can simply create a hardlink to another file (all we need is read access). Because of the hardlink, we can let the task scheduler write an arbitrary DACL (see second parameter of SchRpcSetSecurity) to a file of our choosing.
> So any file that we have read access over as a user and that system has the write DACL permission for, we can pivot into full control and overwrite it.
If you find the default font size too small, I know at least Chrome and Firefox support a minimum font size in their settings.
I personally set my minimum font size to 9. While I can't easily read font that small, I can at least notice it is there and zoom or otherwise compensate if I care what it says while still mostly preserving the aesthetic of the web page (assuming the font is purposefully small for a reason).
Thank you for the description, I was hesitant to download a .rar just to read something...
> So any file that we have read access over as a user and that system has the write DACL permission for, we can pivot into full control and overwrite it.
Doesn't this imply we can use guest access to install any kind of backdoor, since we'll have "read access" to a bunch of programs that start on boot? Seems really bad, maybe I'm misinterpreting (I haven't been on Windows for a while).
true that. Not even mentioning the insane amount of telemetry data they are "sending home" on regular basis. You think social network is bad? Well take a look on your AV...
