Cyber Security
Windows Task Scheduler So helpful at disclosing credentials, even when you ask it not to
I By Tristan Bennett
t’s not every day you come across an issue that Microsoft deems worthy of a patch, especially when your day job is sifting through logs to try and find indicators of compromise. However, while testing some techniques to detect password scraping from memory, that’s the position we found ourselves in. The first thing we had to confirm was whether the issue was present on all our Windows test servers as we were worried we had configured something in error on the server where the flaw was discovered. Once confirmed that we could reproduce the issue on multiple operating systems including a fully patch Windows Server 2016 environment we had the confidence to submit the issue to Microsoft. Microsoft has a simple process to follow in order to submit a security vulnerability and ask for the following information as a start, included is a summary of our submission; • Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.) Plaintext/Easily Reversible credentials stored in memory • Product and version that contains the bug, or URL if for an online service Tested on Windows Server 2012R2 and Windows Server 2016 • Service packs, security updates, or other updates for the product you have installed Up to date with security patches. • Any special configuration required to reproduce the
40 | Australian Cyber Security Magazine
issue None • Step-by-step instructions to reproduce the issue on a fresh install The steps to reproduce this issue are described below. • Proof-of-concept or exploit code No code required for this. • Impact of the issue, including how an attacker could exploit the issue Administrators may have a false sense of password security due to all the robust security features built into Windows Server 2016 to remove the ability for password dumping tools to extract plaintext passwords. However, it appears a single scheduled task may expose potentially sensitive credentials despite all the other safeguards. Attackers can dump passwords with a variety of tools, and it has become very difficult to extract plaintext passwords from LSASS in Server 2016. It appears though through Credential Manager extraction is possible leading to easier privilege escalation options. Once submitted someone from the Microsoft Security Response Center gave regular update about the status of the patch and the CVE number (CVE-2019-0838) was assigned about 3 months after the flaw was disclosed. The issue was patched on 9th April 2019 with for all supported Windows Operating systems and get a 6.6 CVSS score. Interestingly Microsoft describe the issue as an “unintentional read access to memory contents in kernel space from a user mode process.” which makes it sounds a