This somewhat limits the usability of the exploit in a real-world attack scenario. The posted exploit code requires the attacker to possess the cleartext password of the account being used for the attack. Through this, an attacker can gain full control of any local file on all versions of Windows 10. Since this file is actually a hard link, this security information will be applied to the target file.
#TASK SCHEDULER WINDOWS 10 UPDATE#
The Task Scheduler service will update the security information on the file in the preferred folder, granting ownership and full control to the attacker. Use the Task Scheduler RPC interface to migrate the task to the preferred folder. Manually place a new task with the same name into the legacy folder. Replace the file in the preferred folder with a hard link to an arbitrary target file. The essential steps of the attack are as follows: This particular combination of behaviors leaves an opening for a hard link attack.
One consequence of this is that a client can manually place a file in the legacy folder, then make use of the Task Scheduler to have the task migrated to the preferred folder. The permissions on the two task folders permit all authenticated users to create files within those folders. Critically, the Task Scheduler service performs this action using its own highly-privileged SYSTEM token. When saving a task file to the preferred location, the service will set security information on the file granting ownership and full control to the owner of the task.
0 kommentar(er)
