The recent zero-day vulnerability CVE-2018-8440 in Windows Task Scheduler enables attackers to perform a privilege elevation on targeted machines. Microsoft has released a security advisory CVE-2018-8440 on September 11, 2018 to address this issue. According to Microsoft, successful exploitation of this vulnerability could run arbitrary code in the security context of the local system.

About the vulnerability
CVE-2018-8440 is a local privilege escalation vulnerability in the Windows Task Scheduler’s Advanced Local Procedure Call (ALPC) interface. The ALPC endpoint in Windows task scheduler exports the SchRpcSetSecurity function, which allows us to set an arbitrary DACL without checking permissions. Exploiting the vulnerability ultimately allows a local unprivileged user to change the permissions of any file on the system.

The exploit code release was announced on twitter, on 27th August 2018, by a security researcher who goes with the handle “SandboxEscaper”.  Within days, PowerPool malware was found using the exploit to infect users.

Vulnerable versions

• Windows 7
• Windows 8.1
• Windows 10
• Windows Server 2008, 2012 and 2016

Quick Heal detection
Quick Heal has released the following detection for the vulnerability CVE-2018-8440:

• Trojan.Win64
• Trojan.IGeneric

Quick Heal Security Labs is actively looking for new in-the-wild exploits for this vulnerability and ensuring coverage for them.

References

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440

Subject Matter Experts

Sameer Patil | Quick Heal Security Labs