Moderate
CVE-2019-0880 Microsoft splwow64 Elevation of Privilege Vulnerability
Add Reference
Description
URL
Type
Moderate
(4 users assessed)
Moderate
(4 users assessed)Unknown
Unknown
Unknown
CVE-2019-0880 Microsoft splwow64 Elevation of Privilege Vulnerability
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
This is a Privilege Escalation vulnerability in how all modern versions of Windows and appears to relate to a function in splwow64.exe. Very little has been released on the technical details of the vulnerability, but the affects are fairly large. All versions of Windows after Server 2008 R2 are affected, including ARM versions. I’m very curous as to what the details are, as I think of only x64 versions when I look at splwow64.exe.
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityMedium
Technical Analysis
This is very hard to quantify in any way given the lack of reporting on the internal workings. It is a Priv Esc that affects all recent versions of Windows, though, so it would be a concern. I have seen no PoC for it, though it was used in the wild.
Ratings
-
Attacker ValueLow
Technical Analysis
I’m seeing that it’s Windows Server versions 2012 though 2019, and that 2008 isn’t affected. But it’s been a few weeks and all we have to go off of is still the Microsoft advisory. That said, as Brian Krebs pointed out, this is the fifth vuln we’ve seen in Microsoft’s DHCP handling code, which would be super interesting given the broadcast nature of the protocol and the lack of logging and monitoring associated with DHCP broadcasts.
Ratings
-
Attacker ValueVery Low
-
ExploitabilityMedium
Technical Analysis
A vulnerability exists within splwow64.exe that can be exploited via an LPC to execute code within the context of that process. The splwow64.exe process is started when a 32-bit process on a 64-bit version of Windows attempts to print. The process is spawned as the same user and thus, the code would be executed as that user. Because of this, the vulnerability could not be used to escalate privileges but rather is limited to use as a sandbox escape from a Low integrity process (such as an Internet Explorer window) to a High integrity process. I rate this as low attacker value because the utility class is pretty limited to use as a sandbox escape.
Exploiting this vulnerability involves opening a handle to it and creating a shared section that when combined with the LPC can be leveraged into a write-what-where primitive. This can then be used with knowledge of the the base address of key DLLS to overwrite a pointer within the .data section that can be referenced for controlled code execution.
This vulnerability reportedly still affects 64-bit versions of Windows 7 and has no public PoC code.
Analysis based on Chronicles of a Sandbox Escape: Deep Analysis of CVE-2019-0880,
Technical Analysis
Reported as exploited in the wild as part of Google’s 2020 0day vulnerability spreadsheet they made available at https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786. Original tweet announcing this spreadsheet with the 2020 findings can be found at https://twitter.com/maddiestone/status/1329837665378725888
General Information
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
What do we mean by "exploited in the wild"?
By selecting this, you are verifying to the AttackerKB community that either you, or a reputable source (example: a security vendor or researcher), has observed an active attempt by attackers, or IOCs related, to exploit this vulnerability outside of a research environment.
A vulnerability should also be considered "exploited in the wild" if there is a publicly available PoC or exploit (example: in an exploitation framework like Metasploit).
