Micropatch is Available for Windows Task Scheduler Security Feature Bypass (CVE-2020-1113)

by Mitja Kolsek, the 0patch Team

Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch for CVE-2020-1113, a Windows Task Scheduler Security Feature Bypass.

This vulnerability was patched by Microsoft with May 2020 Updates, but Windows 7 and Server 2008 users without Extended Security Updates remained vulnerable.

Security researcher Sylvain Heiniger (@sploutchy) of @compasssecurity analyzed this vulnerability and subsequently published a POC, from which we could reproduce the issue and create a micropatch. 

 

The vulnerability lies in Task Scheduler accepting RPC requests that can be relayed. An attacker can piggyback on such requests by having some logged-on user send an SMB request to their computer, and then act as man-in-the-middle.

 

Microsoft's patch makes sure the authentication level of the RPC request received by Task Scheduler is RPC_C_AUTHN_LEVEL_PKT_PRIVACY, which prevents such piggybacking. Our micropatch does effectively the same, with just six CPU instructions on 32-bit Windows, and two CPU instructions on 64-bit Windows:

MODULE_PATH "..\Affected_Modules\schedsvc.dll_6.1.7601.24470_64bit\schedsvc.dll"
PATCH_ID 459
PATCH_FORMAT_VER 2
VULN_ID 6220
PLATFORM win64

patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2

PATCHLET_OFFSET 0x37a1
N_ORIGINALBYTES 5
JUMPOVERBYTES 0
PIT schedsvc.dll!0x3b449

code_start

    ;This patch is inserted right after the RpcServerInqCallAttributesW call.
    ;The call fills the RPC_CALL_ATTRIBUTES_V2_W structure with data, and at
    ; address rsp+78h we can find
    ;the RPC_CALL_ATTRIBUTES_V2_W.AuthenticationLevel value, which describes
    ;the level of RPC authentication
    ;used. The range of this variable is form 0x0 to 0x6, where 0x6 is
    ;authentication with integrity (signature)

    cmp dword[rsp+78h], 6     ;Check if the RPC_CALL_ATTRIBUTES_V2_W.AuthenticationLevel
                              ; value is equal to 6
    jb PIT_0x3b449            ;If the value is less than 6, jump to the
                              ;"access denied error" block

code_end
patchlet_end

And a video of the micropatch in action:

We'd like to thank Sylvain Heiniger (@sploutchy) for sharing their analysis and POC, which allowed us to create this micropatch for Windows users without official security updates. We also encourage security researchers to privately share their analyses with us for micropatching.

This micropatch is immediately available to all 0patch users with a PRO license, and is targeted at Windows 7 and Windows Server 2008 R2 users without Extended Security Updates. To obtain the micropatch and have it applied on your computer(s) along with other micropatches included with a PRO license, create an account in 0patch Central, install 0patch Agent and register it to your account. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.

To learn more about 0patch, please visit our Help Center.

New 0patch Agent is Released - Version 20.06.18.10800

Dear 0patch users,

We have just released a new 0patch Agent. We don't do that very often, for two reasons: (1) we like the software we're using to be stable, to favor reliability over novelty, and to not introduce unnecessary changes - so that's what we try to do for you; and (2) building and thoroughly testing a piece of software that needs to work reliably on multiple platforms is pretty expensive. Because of the latter, we've micropatched two functional bugs in our previous Agent version (see here and here) instead of hastily issuing a new one. Micropatching is vastly superior to the traditional rebuild-test-distribute model when fixing simple bugs (which most security bugs and many functional ones are) as it incurs minimal risk of breaking something outside the patched bits, requires only narrowly-focused testing, and allows for inexpensive and unobtrusive deployment (and revocation, if needed). 

Nevertheless, bugs and feature requests have piled up, and our server is evolving too, prompting the agent to learn a couple of new tricks.

What's new in the new 0patch Agent? If you like details, please refer to release notes, but otherwise the main changes are:

• Annoying popups in 0patch FREE are now gone and replaced by a summary popup that will tell you how many patches you're missing out on that would be relevant on your computer.
• Log is now displayed much faster in 0patch Console.
• Pop-ups are no longer shown when any application is in full screen mode.
• The above-mentioned functional bugs that we've previously micropatched have now been patched in the code, so there is no need to apply a micropatch to every process anymore.
• Failed syncs immediately after system startup (which many of you have noticed, and thankfully reported) have been fixed.
  

May we remind you that the agent is still very small, just over 4MB on the file system.

We recommend you update your agent to this new version at your earliest convenience. The update process will not require a computer restart.

Locally Managed 0patchAgents

If you're using 0patch locally on your computer, 0patch Agent has already started notifying you about a new version. To update the agent, launch 0patch Console and in the "AGENT VERSION" box, click on "GET LATEST VERSION" and let the update process complete. Note that the console will disappear in the process, and will get re-launched when the new agent version is installed.

Remotely Managed 0patch Agents

If you're managing 0patch Agents in your organization remotely through 0patch Central, your group settings will determine whether/which agents will get updated automatically and which will require a manual action on your part. To make sure all agents are updated, you can open the All Computers group, select all computers, and under ACTIONS, select "Update agent to new version."

Thank you for using 0patch! As always, we'll appreciate your feedback, bug reports, feature requests and musical recommendations at support@0patch.com.

The 0patch Team