Attacker Value
Moderate
(4 users assessed)
Exploitability
Moderate
(4 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2019-0880 Microsoft splwow64 Elevation of Privilege Vulnerability

Disclosure Date: July 15, 2019 Last updated February 13, 2020
Exploited in the Wild
Reported by gwillcox-r7
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

This is a Privilege Escalation vulnerability in how all modern versions of Windows and appears to relate to a function in splwow64.exe. Very little has been released on the technical details of the vulnerability, but the affects are fairly large. All versions of Windows after Server 2008 R2 are affected, including ARM versions. I’m very curous as to what the details are, as I think of only x64 versions when I look at splwow64.exe.

Add Assessment

2
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium
Technical Analysis

This is very hard to quantify in any way given the lack of reporting on the internal workings. It is a Priv Esc that affects all recent versions of Windows, though, so it would be a concern. I have seen no PoC for it, though it was used in the wild.

2
Ratings
  • Attacker Value
    Low
Technical Analysis

I’m seeing that it’s Windows Server versions 2012 though 2019, and that 2008 isn’t affected. But it’s been a few weeks and all we have to go off of is still the Microsoft advisory. That said, as Brian Krebs pointed out, this is the fifth vuln we’ve seen in Microsoft’s DHCP handling code, which would be super interesting given the broadcast nature of the protocol and the lack of logging and monitoring associated with DHCP broadcasts.

2
Ratings
Technical Analysis

A vulnerability exists within splwow64.exe that can be exploited via an LPC to execute code within the context of that process. The splwow64.exe process is started when a 32-bit process on a 64-bit version of Windows attempts to print. The process is spawned as the same user and thus, the code would be executed as that user. Because of this, the vulnerability could not be used to escalate privileges but rather is limited to use as a sandbox escape from a Low integrity process (such as an Internet Explorer window) to a High integrity process. I rate this as low attacker value because the utility class is pretty limited to use as a sandbox escape.

Exploiting this vulnerability involves opening a handle to it and creating a shared section that when combined with the LPC can be leveraged into a write-what-where primitive. This can then be used with knowledge of the the base address of key DLLS to overwrite a pointer within the .data section that can be referenced for controlled code execution.

This vulnerability reportedly still affects 64-bit versions of Windows 7 and has no public PoC code.

Analysis based on Chronicles of a Sandbox Escape: Deep Analysis of CVE-2019-0880,

1
Technical Analysis

Reported as exploited in the wild as part of Google’s 2020 0day vulnerability spreadsheet they made available at https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786. Original tweet announcing this spreadsheet with the 2020 findings can be found at https://twitter.com/maddiestone/status/1329837665378725888

General Information

Additional Info

Technical Analysis