Attacker Value
Moderate
0

CVE-2020-0668

Disclosure Date: February 11, 2020

Exploitability

(2 users assessed) Moderate
Attack Vector
Local
Privileges Required
Low
User Interaction
None

Description

An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka ‘Windows Kernel Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0669, CVE-2020-0670, CVE-2020-0671, CVE-2020-0672.

Add Assessment

7
Ratings
Technical Analysis

[edit]

this assessment is covering one of the POC techniques used to exploit the vulnerability, I much prefer the way @bwatters-r7 covers the details of the vulnerability.

This CVE includes an incorrect description (a very weak description that does a poor job of describing the actual vulnerability) please see the sources/citations/original CVE POC postings, I have also reached out to the POC authors.

Overview

A vulnerability was discovered within the Update Orchestrator Service within Windows 10, This service allows for updating and checking for updates on a Windows system. A user has the ability to interact with the service using COM to provide an update scan or to download any pending updates for the system.

This service runs under SYSTEM on the window system, and it tries to load a missing dll. This vulnerability can be classed as a dll hijacking vulnerability, where a user can add the windowscoredeviceinfo.dll To the windows system32 directory, and you can have it loaded by the Uso service to obtain arbitrary code execution at a system level.

After someone with the ability to write to the system 32 directory, either an administrator or a low-level user that has some sort of arbitrary right primitive, a user can then use the command usoclient StartInteractiveScan as a trigger for the vulnerability.

Impact

Successful exploitation of this vulnerability can lead to an unauthorized and unauthenticated user obtaining system-level access in kernel mode on the system. Successful exploitation of this vulnerability can grant a user from a low Integrity standpoint to obtain NT/Authority access.

This vulnerability would allow for the degradation of the integrity and security of the victim’s house system.

A working proof-of-concept for the exploitation of this vulnerability does exist.

https://www.youtube.com/watch?v=ml2feXa6cCY
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0668

Recommended remediation

The recommended security remediation for this vulnerability is to follow the provided security updates from Microsoft, and await any sort of patching that your company may push out.


C:\Users\123>sc qc UsoSvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: UsoSvc
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k netsvcs
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Update Orchestrator Service for Windows Update
        DEPENDENCIES       : rpcss
        SERVICE_START_NAME : LocalSystem

General Information

Technical Analysis