Moderate
CVE-2020-0668
CVE-2020-0668
Description
An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka ‘Windows Kernel Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0669, CVE-2020-0670, CVE-2020-0671, CVE-2020-0672.
Add Assessment
Technical Analysis
This is a complex and poorly-defined vulnerability.
Microsoft’s description from https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0668 is essentially useless:
“An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. “
There is little surprise that there exists some confusion about the vulnerability.
Contrary to the earlier poster, I do not believe that this is a System Orchestrator bug. I agree with https://packetstormsecurity.com/files/cve/CVE-2020-0668 and think the vulnerability is in the Remote Access Service. Part of the confusion is that the vulnerability is a file overwrite vulnerability, and many PoCs are leveraging a dll-hijacking vulnerability in the system orchestrator service to gain code execution after the trusted file write takes place.
The Remote Access Service runs as system and creates a log of its actions called RASTAPI.LOG. Once the RASTAPI.LOG reaches a defined size, the Remote Access Service copies RASTAPI.LOG to RASTAPI.OLD in the same directory.
The issue is twofold. First, the behavior of the Remote Access Service Tool API is defined by three registry keys:
HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\EnableFileTracing
HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\FileDirectory
HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\new_size
These three registry keys allow a user to turn on the RASTAPI and configure the size and location of the log file. These registry keys are writable by a regular user.
The second issue is that the RAST service performs only a trivial check on the filesystem location of the RASTAPI.OLD destination. If an attacker creates a filesystem link between the old log destination (i.e. C:\users\user\temp\RASTAPI.OLD) and a trusted location (C:\windows\system32\badfile.dll), RASDIALER will copy the old log file to the linked location as the SYSTEM user. Because there is a file hijacking vulnerability in the System Orchestrator service, many PoCs use the location C:\Windows\System32\WindowsCoreDeviceInfo.dll, which does not exist in a default configuration, but System Orchestrator Service will load if it does exist,
The attack looks something like:
- Gain lower-privileged access to a vulnerable target.
- Create a dummy directory to hold files.
- Mount the dummy directory to \RPC Control
- Upload a dll payload
- Create a link between \RPC Control\RASTAPI.LOG and the uploaded payload
- Create a link between \RPC Control\RASTAPI.OLD and the destination location the attacker would like to write (in this example, C:\Windows\system32\WindowsCreDeviceInfo.dll)
- Write the registry keys to turn on FileTracing, set the file directory to the dummy directory, and set the max file size to one byte less than the size of the payload,
- Upload a configuration file for the rasdialer
- Launch the rasdialer. When RAST service kicks off, it tries to write a log file to the directory specified in the registry, but it finds one already exists, and it is already full, so RAST service then copies the file to the “old” location that’s linked to the trusted location. The result is an arbitrary file write to a trusted location.
- At this point, the overwrite is complete. PoC’s leverage the System Orchestrator service to get execution of the overwritten dll file by launching the system orchestrator.
Many PoC exploits leverage https://github.com/googleprojectzero/symboliclink-testing-tools which allow for the manipulation of symbolic links and mount points and also https://github.com/itm4n/UsoDllLoader to start the System Orchestrator service to launch the dll.
While the exploit is difficult, there are several PoC exes out there, and a metasploit module in progress, so I consider the exploitability relatively easy, though the exploit itself is difficult.
Technical Analysis
[edit]
this assessment is covering one of the POC techniques used to exploit the vulnerability, I much prefer the way @bwatters-r7 covers the details of the vulnerability.
This CVE includes an incorrect description (a very weak description that does a poor job of describing the actual vulnerability) please see the sources/citations/original CVE POC postings, I have also reached out to the POC authors.
Overview
A vulnerability was discovered within the Update Orchestrator Service within Windows 10, This service allows for updating and checking for updates on a Windows system. A user has the ability to interact with the service using COM to provide an update scan or to download any pending updates for the system.
This service runs under SYSTEM on the window system, and it tries to load a missing dll. This vulnerability can be classed as a dll hijacking vulnerability, where a user can add the windowscoredeviceinfo.dll To the windows system32 directory, and you can have it loaded by the Uso service to obtain arbitrary code execution at a system level.
After someone with the ability to write to the system 32 directory, either an administrator or a low-level user that has some sort of arbitrary right primitive, a user can then use the command usoclient StartInteractiveScan as a trigger for the vulnerability.
Impact
Successful exploitation of this vulnerability can lead to an unauthorized and unauthenticated user obtaining system-level access in kernel mode on the system. Successful exploitation of this vulnerability can grant a user from a low Integrity standpoint to obtain NT/Authority access.
This vulnerability would allow for the degradation of the integrity and security of the victim’s house system.
A working proof-of-concept for the exploitation of this vulnerability does exist.
https://www.youtube.com/watch?v=ml2feXa6cCY
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0668
Recommended remediation
The recommended security remediation for this vulnerability is to follow the provided security updates from Microsoft, and await any sort of patching that your company may push out.
C:\Users\123>sc qc UsoSvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: UsoSvc TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Update Orchestrator Service for Windows Update DEPENDENCIES : rpcss SERVICE_START_NAME : LocalSystem
CVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- windows 10 -,
- windows 10 1607,
- windows 10 1709,
- windows 10 1803,
- windows 10 1809,
- windows 10 1903,
- windows 10 1909,
- windows 7 -,
- windows 8.1 -,
- windows rt 8.1 -,
- windows server 2008 -,
- windows server 2008 r2,
- windows server 2012 -,
- windows server 2012 r2,
- windows server 2016 -,
- windows server 2016 1803,
- windows server 2016 1903,
- windows server 2016 1909,
- windows server 2019 -
Metasploit Modules
References
Miscellaneous
I was way off, thank you for this, I was following a few public POCs to help guide me on some of the details due to the lack of publish details, and it seems my understanding was skewed when I published my initial analysis. My initial analysis ends up covering one of the POCs, and not specifically the vulnerability. Thank you, I will use this to re-do an assessment.
I can’t upvote this enough. What a great clarification on vulnerability definition!