Recently a security researcher, going by the handle of SandboxEscaper, released the source code for a 0 day affecting the Advanced Local Procedure Call (ALPC) function that allows a threat actor to gain Local Privilege Escalation (LPE) on the victim machine. This vulnerability affects Microsoft Windows 7 through 10.
An overview of the source shows of the exploit shows that it takes advantage of a flaw in the SchRpcSetSecurity API function associated with the Windows Task Scheduler. Specifically, the function does not authenticate the user’s permissions properly, which can be leveraged to gain write permissions to write-protected files. The code released by the security researcher used hardlinks to overwrite protected files on the system.
It should be noted that a threat group called PowerPools has weaponized this exploit using a backdoor as an infection vector. The fact that the exploit source code was released publicly means that it is also widely available to other threat groups who will jumped at the chance of utilizing it, especially since Microsoft still has not released a patch for it. Hexcapes will be on the lookout for such activity and will update the readership accordingly.