VoidSec (24)

Last Login: August 26, 2021

VoidSec's Contributions (4)

Sort by:
Filter by:
Technical Analysis

Here you can read the entire analysis: https://voidsec.com/root-cause-analysis-of-cve-2021-3438/
The vulnerable function sub_15070 copies bytes from the user’s input buffer via the strncpy function call with an arbitrary size parameter (controlled by the user), causing a buffer overflow. The buffer, initialized with all zeroes in the .data segment, is the only reference in all of the section and it is only used in the highlighted strncpy operation; there are no pointers nor interesting structures written inside the segement that we can corrupt to redirect the execution flow.
I can confidently say that this vulnerability can, at best, be used to perform a local Denial of Service (DoS) crashing the entire OS.
I think a more appropriate CVSS score is 6.5, rather than the arbitrary 8.8/10 score given to the original CVE.

Thx to @wvu-r7 for the peer review.


Hi @ccondon-r7 I have one clients that were further compromised using this vulnerability (attackers already had a foothold into his network and used this vulnerability to gain Domain Admin and push a ransomware). As I’m not part of the IR team I’m still waiting for them to gather more details on the attack.

Technical Analysis

Unauthenticated attacker, able to directly connect to a Domain Controller over NRPC will be able to reset the Domain Controller’s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.

The exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password.
Target computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action.
In test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.

Checker and Exploit code
Original research and white-paper: Secura – Tom Tervoort

Technical Analysis

CVE-2020-1337 is a bypass of (PrintDemon) CVE-2020-1048’s patch via a Junction Directory, made to remediate an Elevation of Privileges (EoP)\Local Privilege Escalation (LPE) vulnerability affecting the Windows’ Print Spooler Service. The vulnerability does require low privilege access and for the spooler service to restart.
The patch appeared in Microsoft’s patch Tuesday (11th August 2020) – https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1337#ID0EWIAC.

Vulnerability description, root cause analysis and PoC code on https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/