tags:windowslpelearning_resource original link: Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 3 newsletter link: exploits.club Weekly Newsletter 33 - CPU Vulns, Breaking Samsung Bootloaders, Tony Hawk Pro Skater, And More
Exploits Club Summary:
ZDI is back this week with their third installment of the ongoing Windows PrivEsc series, this time discussing a technique for leveraging an on-boot delete primitive to abuse the Windows Task Scheduler. The core idea centers around the fact the Task Scheduler âdoes not validate mount points before it deletes the correspondingÂ
.job file from theÂC:\Windows\Tasksâ, and this directory being writeable by a standard user. Furthermore, it uses a hidden file,ÂSA.DAT, to prevent the user from converting the directory to a junction. As such, a user can abuse an on-boot delete primitive to deleteÂSA.DAT and privesc. The post then talks about the difficulties the team has had with vendors in reporting several of these privescs, and why many of the bugs reported in the series remain unpatched