OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NTSecAdvice Archives: Re: Windows NT Task Scheduler vulnerabili

Re: Windows NT Task Scheduler vulnerability allows user to administrator elevation

Subject: Re: Windows NT Task Scheduler vulnerability allows user to administrator elevation
From: John Howie (JHowieEMAIL.MSN.COM)
Date: Mon Nov 29 1999 - 23:15:14 CST

Jesper is correct in his assessment that the Task Scheduler runs as SYSTEM
but this is necessary. Users who submit jobs are required to supply their
username and password. These credentials are stored and used when the user's
scheduled job is run. So, if a user has access to a share then so will the
job started by the Task Scheduler.

With the introduction of SP3 (I think) Microsoft introduced an API call
CreateProcessAsUser (). This API call relies on the presence of another
service to actually take user credentials and invoke a process in the user's
security context by calling LogonUser () and/or the other ImpersonateXXX ()
API calls.

The Task Scheduler does something similar. It takes the user's credentials
stored in the job control file and invokes the same API calls to effectively
logon the user before calling CreateProcess () with that user's security
context.

Also, you can invoke the Task Scheduler on a remote machine, if you wish.
The whole interface is implemented as a DCOM service. You can access it
programatically or through the Explorer interface.

john...

-----Original Message-----
From: Jesper M. Johansson <jjohanssBU.EDU>
To: win2ksecadviceLISTSERV.NTSECURITY.NET
<win2ksecadviceLISTSERV.NTSECURITY.NET>
Date: Monday, November 29, 1999 7:52 PM
Subject: Re: Windows NT Task Scheduler vulnerability allows user to
administrator elevation

>There have been problems with the Task Scheduler since it was first
>introduced back in IE4. I posted a lengthy article about the
vulnerabilities
>to the NT security newsgroup back when it first cam out. I am on the road
>this week so when I get back I will repost it to this list.

Even though it is not directly security related, you may also want to
remember that Task Scheduler does not actually work for most practical
purposes. Among the issues:

1. It can only run as system. Unlike atsvc.exe you cannot set the IE task
scheduler to run as another user, which is required for it to be able to
access network shares for example. Of course, I guess you could set all your
SMB shares to Full Control for Everyone... ;-)
2. It does not work with other schedulers. For example, it will break
soon.exe.
3. Unlike atsvc.exe, it cannot be controlled remotely, at least not well
4. If you set a job to start on a date and day of the week, and the date and
day don't match, the job will never run. For example, if you set a job to
start at 2:00 AM on Tuesday, November 29, 1999, the job will never run.
November 29, 1999 is not a Tuesday. No error message will be logged.

To remove this monstrosity altogether and bring back atsvc.exe, check out
Q196731. If you need a graphical scheduler, use winat.exe.

Regards,

Jesper

Jesper M. Johansson, Ph.D.
Assistant Professor, Boston University
jjohanssbu.edu
Editor, SANS NT Digest
MCSE , MCP + I

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

This archive was generated by hypermail 2b27 : Mon Nov 29 1999 - 23:31:53 CST