Low
CVE-2020-0986
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-0986
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka ‘Windows Kernel Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.
Add Assessment
Ratings
-
Attacker ValueLow
-
ExploitabilityHigh
Technical Analysis
Google Project Zero researcher Maddie Stone, who originally disclosed this vulnerability to Microsoft, reported on December 23, 2020 that the patch is incomplete and can be bypassed.
Quoting her post here: “The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The “fix” simply changed the pointers to offsets, which still allows control of the args to the memcpy.”
Stealing directly from a conversation with Metasploit’s Windows exploit expert @zeroSteiner, it sounds like this bug isn’t terribly useful as an LPE “because the slpwow64 process doesn’t run with elevated privileges—just an elevated integrity, which Microsoft doesn’t consider a security boundary anymore anyway.” Project Zero-reported vulns tend to draw media and researcher attention and there’s quite a lot of detail publicly available between Stone’s original report and this in-depth Kaspersky write-up, so we may see more exploitation even if the impact of the bug by itself isn’t terribly high. That said, the Kaspersky analysis is definitely worth a read if you want to understand this CVE’s utility for the IE 11 use case!
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportTechnical Analysis
Reported as exploited in the wild as part of Google’s 2020 0day vulnerability spreadsheet they made available at https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786. Original tweet announcing this spreadsheet with the 2020 findings can be found at https://twitter.com/maddiestone/status/1329837665378725888
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- windows 10 -,
- windows 10 1607,
- windows 10 1709,
- windows 10 1803,
- windows 10 1809,
- windows 10 1903,
- windows 10 1909,
- windows 10 2004,
- windows 8.1 -,
- windows rt 8.1 -,
- windows server 2012 -,
- windows server 2012 r2,
- windows server 2016 -,
- windows server 2016 1803,
- windows server 2016 1903,
- windows server 2016 1909,
- windows server 2016 2004,
- windows server 2019 -
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
As just said before, this vulnerability won’t get you elevated privileges, but, since the vulnerable process (
splwow64.exe
) is running with medium integrity level, it is possible to combine it with another remote code execution exploit to escape the Internet Explorer 11 sandbox and execute arbitrary code.This has been patched by Microsoft in June 2020, but it was incomplete (this patch bypass is identified as CVE-2020-17008). Moreover, this patch introduced another vulnerability (Out-Of-Bounds read), disclosed by ZDI as a 0-day advisory on December 15th, 2020. All of these bugs have been corrected in January 2021 and identified as CVE-2021-1648.