Attacker Value
Moderate
(2 users assessed)
Exploitability
Moderate
(2 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
1

CVE-2020-0668

Disclosure Date: February 11, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka ‘Windows Kernel Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0669, CVE-2020-0670, CVE-2020-0671, CVE-2020-0672.

Add Assessment

7
Ratings
Technical Analysis

[edit]

this assessment is covering one of the POC techniques used to exploit the vulnerability, I much prefer the way @bwatters-r7 covers the details of the vulnerability.

This CVE includes an incorrect description (a very weak description that does a poor job of describing the actual vulnerability) please see the sources/citations/original CVE POC postings, I have also reached out to the POC authors.

Overview

A vulnerability was discovered within the Update Orchestrator Service within Windows 10, This service allows for updating and checking for updates on a Windows system. A user has the ability to interact with the service using COM to provide an update scan or to download any pending updates for the system.

This service runs under SYSTEM on the window system, and it tries to load a missing dll. This vulnerability can be classed as a dll hijacking vulnerability, where a user can add the windowscoredeviceinfo.dll To the windows system32 directory, and you can have it loaded by the Uso service to obtain arbitrary code execution at a system level.

After someone with the ability to write to the system 32 directory, either an administrator or a low-level user that has some sort of arbitrary right primitive, a user can then use the command usoclient StartInteractiveScan as a trigger for the vulnerability.

Impact

Successful exploitation of this vulnerability can lead to an unauthorized and unauthenticated user obtaining system-level access in kernel mode on the system. Successful exploitation of this vulnerability can grant a user from a low Integrity standpoint to obtain NT/Authority access.

This vulnerability would allow for the degradation of the integrity and security of the victim’s house system.

A working proof-of-concept for the exploitation of this vulnerability does exist.

https://www.youtube.com/watch?v=ml2feXa6cCY
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0668

Recommended remediation

The recommended security remediation for this vulnerability is to follow the provided security updates from Microsoft, and await any sort of patching that your company may push out.


C:\Users\123>sc qc UsoSvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: UsoSvc
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k netsvcs
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Update Orchestrator Service for Windows Update
        DEPENDENCIES       : rpcss
        SERVICE_START_NAME : LocalSystem
CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • windows 10 -,
  • windows 10 1607,
  • windows 10 1709,
  • windows 10 1803,
  • windows 10 1809,
  • windows 10 1903,
  • windows 10 1909,
  • windows 7 -,
  • windows 8.1 -,
  • windows rt 8.1 -,
  • windows server 2008 -,
  • windows server 2008 r2,
  • windows server 2012 -,
  • windows server 2012 r2,
  • windows server 2016 -,
  • windows server 2016 1803,
  • windows server 2016 1903,
  • windows server 2016 1909,
  • windows server 2019 -
Technical Analysis