Listen to this Post
The vulnerability (CVE-2024-30090) resides in the Host Process for Windows Tasks (taskhostw.exe). It stems from improper link resolution before file access, specifically a symbolic link (symlink) following flaw. An authenticated local attacker with low privileges can exploit this by creating a malicious symlink pointing to a sensitive system file or registry hive. When the Host Process accesses a legitimate target file under attacker-controlled directory junctions, the link resolution is not validated. The process runs with higher integrity levels (e.g., SYSTEM). The attacker forces the privileged process to follow the crafted link, writing or reading arbitrary files. This leads to arbitrary file overwrite, credential theft, or DLL planting. The flaw exists due to missing checks for reparse points in the task scheduler’s file operations. Triggering the vulnerability requires the attacker to place a specially crafted task configuration or manipulate a scheduled task’s working directory. Once the task executes, the Host Process resolves the link and operates on the unintended resource. The CVSS vector indicates local access, low privileges, no user interaction, and full impact on confidentiality, integrity, and availability. Exploitation is not publicly known (E:U), with official fixes (RL:O) and confirmed (RC:C). Affected versions include Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022 (specific builds prior to June 2024 patches).
DailyCVE form:
Platform: Windows
Version: 10/11/Server 2022
Vulnerability: Link following
Severity: HIGH
date: 2024-06-11
Prediction: 2024-06-11 (already patched)
Analytics under What Undercode Say:
Check if vulnerable to CVE-2024-30090 wmic qfe get hotfixid | find "KB5039211" Windows 10 21H2 wmic qfe get hotfixid | find "KB5039212" Windows 11 22H2 Simulate link following attack (proof-of-concept) mkdir C:\poc cd C:\poc mklink /D legit_folder \??\C:\Windows\System32\config\SAM Task scheduler manipulation schtasks /create /tn "POC_Task" /tr "C:\poc\legit_folder" /sc once /st 00:00 /ru SYSTEM
Exploit:
Create junction point using `junction.exe` or mklink. Place malicious task XML in `%SystemRoot%\System32\Tasks` with directory traversal. Trigger via schtasks /run. Host Process follows link and writes elevated payload to `C:\Windows\System32\drivers\etc\hosts` or reads SAM hive.
Protection from this CVE:
Apply Microsoft patch KB5039211/KB5039212/KB5039213 (June 2024). Enable attack surface reduction rules blocking symlink creation from low-integrity processes. Use fsutil behavior set SymlinkEvaluation L2L:0 R2R:0 R2L:0 L2R:0. Run scheduled tasks with least privilege and monitor for anomalous reparse points using Sysmon event ID 11.
Impact:
Full system compromise: attacker gains SYSTEM privileges, can read all files (including LSASS memory), modify system configuration, install persistent backdoors, and bypass UAC. Affects all Windows versions prior to June 2024 cumulative updates. No public exploit at disclosure, but local privilege escalation fully achievable.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

