cbcvebase.
CVE-2010-3338
published 2010-12-16

CVE-2010-3338: The Windows Task Scheduler in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly determine the…

PriorityP272high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
19.86%
97.1th percentile
The Windows Task Scheduler in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly determine the security context of scheduled tasks, which allows local users to gain privileges via a crafted application, aka "Task Scheduler Vulnerability." NOTE: this might overlap CVE-2010-3888.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

pathC:\windows\system32\tasks\wDw00t
path%SystemRoot%\system32\tasks\
filenamexpl.bat
commandschtasks /create /TN wDw00t /sc monthly /tr
commandschtasks /change /TN wDw00t /disable
commandschtasks /change /TN wDw00t /enable
commandschtasks /run /TN wDw00t
commandschtasks.exe /create /tn #{taskname} /tr "#{cmd}" /sc monthly /f
  • Monitor for task XML files written to %SystemRoot%\system32\tasks\ by non-SYSTEM processes, especially with modified UserId set to S-1-5-18 (SYSTEM SID) or Author set to 'LocalSystem'.
  • Detect task XML manipulation replacing 'LeastPrivilege' with 'HighestAvailable' and SID values with S-1-5-18 in task files under system32\tasks\.
  • Alert on rapid schtasks.exe sequence: /create followed by /change /disable, /change /enable, and /run against the same task name — this disable/enable cycle is the exploit trigger.
  • Detect task XML files with a BOM of 0xFFFE (UTF-16 LE) written directly to the tasks folder by user-level processes, as the exploit rewrites the task file with a forged CRC32 and Unicode BOM.
  • Flag creation of a batch file (xpl.bat) in %TEMP% that adds a local user and adds them to the administrators group, dropped as the payload by the VBScript exploit variant.
  • Detect use of Metasploit module ms10_092_schelevator via meterpreter session writing a random-named .exe to %TEMP% and registering it as a scheduled task.
  • Monitor for 'Actions Context' attribute changed from 'Author' to 'LocalSystem' and 'Principal id' changed from 'Author' to 'LocalSystem' in task XML files.
  • ·The exploit only works against Windows Vista, Windows 7, and Windows Server 2008 (including R2); other Windows versions are not affected.
  • ·The Metasploit module does not support WOW64 (32-bit meterpreter on 64-bit OS) due to filesystem redirection preventing direct task file access; an x64 meterpreter session is required.
  • ·The vulnerability requires the attacker to have a local session (local privilege escalation only); remote exploitation is not possible.
  • ·The exploit relies on the Task Scheduler using only a CRC32 checksum for integrity validation, meaning the forged task file must produce a CRC32 collision with the original to succeed.

CVSS provenance

nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.