Hello, welcome to the Wednesday, August 29th, 2018 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Sundvolden, Norway.

And we got a new seraday vulnerability in 64-bit Windows 10 and Windows Server Server 2016, so the most recent all-patched versions that can lead to

privilege escalation. The vulnerability lies in the Windows task scheduler and it is associated

with the handling of advanced local procedure calls our ALPC.

Now, the proof of concept that has been released that's fully functional works on Windows 10 in 2016 with 64 bits.

It has a few hard-coded parameters for these specific operating systems,

but it is very possible that the same vulnerability

is exploitable in a wider range of Windows operating system versions.

The way the exploit works is that an attacker who already has to have normal user access

to the system has to create a heartlink from Windows tasks, which is the

directory that's being used by the scheduler to an arbitrary file that the attacker has

read access to, and then essentially the task scheduler will rewrite the Daclesi, discretionary

access control list for this file for the attacker.

Kevin Baman did a real great job in his blog to sort of go over the details of this exploit.

He even set up a GitHub repository with the actual source code.

The original author only set up a GitHub repository with a rar file.

So probably you want to check out that annotated version of Kevin's in order to learn more about

how this particular exploit works. In the show notes, I'll link to the cert CC announcement about this flaw. It has links to

Kevin's blog as well as to the GitHub repository with the original exploit code. And then there

are certain applications that probably were never really intended to be connected to the open internet.

One such application is octoprint.

...