Local privilege escalation in procedure calls

It's not bad enough to take Microsoft out-of-cycle, but CERT/CC has just put out a warning of a new privilege escalation bug in Windows.

According to the Tweet that set the hounds running, it's a zero-day with a proof-of-concept at GitHub.

CERT/CC vulnerability analyst Phil Dormann quickly verified the bug, Tweeting: “I've confirmed that this works well in a fully-patched 64-bit Windows 10 system. LPE right to SYSTEM!” (LPE – local privilege escalation – El Reg).

CERT/CC has finished its more formal investigation, and has just posteda vulnerability note.

“Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges”, the advisory stated.

ALPC, Advanced Local Procedure Call, restricts the impact somewhat, since it's a local bug.

However, it opens an all-too-familiar attack vector: if an attacker can get a target to download and run an app, local privilege escalation gets the malware out of the user context up to (in this case) system privilege. Ouch.

The vulnerability note says: “The CERT/CC is currently unaware of a practical solution to this problem.”

Responding to The Register's e-mail inquiry, a Microsoft spokesperson it will “proactively update impacted advices as soon as possible”, and pointed to its Update Tuesday schedule.

Source: theregister