Possible Windows Scheduler local privilige escalation

Sans has a writeup on Windows local privilige escalation using the Windows scheduler and among other things it might be worth starting out by saying that typically, only Administrative group users in Windows XP are allowed to access the Windows Scheduler. However, I have read reference of some installs that even give guests that capability. If that’s a default setting under some install profile – this is a big problem, if it’s just because the administrator chose to make the scheduler accessible to everyone it’s LESS of a problem, but still worth KNOWING about.

Essentially, the Scheduler runs processes with SYSTEM priviliges and so, if you use the scheduler to run cmd.exe you have a command shell with system priviliges. Now, if you’re already administrator, I’m not sure what greater havoc could be caused by having SYSTEM priviliges, however…. if you are an unpriviliged user that has access to the scheduler you can probably see where this can be a problem.

Really, you would expect that if you with admin priviliges schedule some program, that it would run with admin priviliges (not system…) so this is a problem of sorts. How big a problem depends on whether or not ANY user on the system has access to your scheduler.

   Send article as PDF   

Similar Posts