Attacker Value
Moderate
0

Task Scheduler S4U Logon Elevation of Privilege

Last updated March 03, 2020

Exploitability

(2 users assessed) High
Attack Vector
Unknown
Privileges Required
Unknown
User Interaction
Unknown

Description

The windows task scheduler allows a split token administrator to register a task which runs as a batch job from a limited privilege context. This doesn’t require a user’s password to accomplish as the task will be run non-interactively and so doesn’t need access to the password in order to access remote resources. Due to the way that batch logons work in the latest versions of Windows for a split token admin user this actually creates the fully privileged token to execute the task under.

Add Assessment

3
Ratings
Technical Analysis

This exploit does not appear to need admin credentials in order to trigger: https://www.rapid7.com/db/vulnerabilities/WINDOWS-HOTFIX-MS14-054, https://www.tenable.com/plugins/nessus/77574

Any privilege escalation using built in Windows components is a valuable tool for attackers.

1
Ratings
  • Attacker Value
    Low
  • Exploitability
    Low
Technical Analysis

Details

This is possibly another ‘getsystem’ technique for UAC bypass.
The effort required to exploit this vulnerability is higher because it requires
a particular set of circumstances that are not universal.

From the report:

My 2c: You’re already an admin, it’s not letting you do anything you couldn’t already do, it’s just not giving you a heads up (UAC warning).

General Information

Additional Info

Technical Analysis