CVE-2020-1337 - Binary Planting (CVE-2020-1048 bypass)

Peleg Hadar (@peleghd) and Tomer Bar at SafeBreach (@safebreach) were acknowledged by Microsoft by the CVE-2020-1048, a Windows Spooler Vulnerability that allows an elevation of privilege on Windows 7 and later.

Some details were disclosed by Alex Ionescu (@aionescu) and Yarden Shafir (@yarden_shafir) on his cool blog post PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth (CVE-2020-1048 & more). Using this knowledge I found a bypass for the patch using Windows junction points and symlinks (kudos to James Forshaw @tiraniddo).

My report was a dupe because the root cause was previously reported by someone else and the report was assigned the CVE-2020-1337, a really c00l CVE :-)

This C# code allows to place a malicious DLL to the local C:\windows\system32 directory in order to be loaded by a DLL hijacking vulnerable application or service.

Blog post: CVE-2020-1337: my two cents; also in spanish.

How to compile

Use Visual Studio in order to get a self-contained binary. The magic is done using the next Nuget packages:

• NtApiDotNet
• IlMerge 3.0.40
• MSBuild.ILMerge.Task

How to use

Place the binary and your malicious file in the same path and execute the first step:

Manually reboot the system and execute the second step to finally plant your DLL with its final name:

Acknowledgements

• Alex Ionescu (@aionescu) and Yarden Shafir (@yarden_shafir)
• Peleg Hadar (@peleghd) and Tomer Bar
• James Forshaw (@tiraniddo)
• BC Security (@BCSecurity1)
• All the partners that help me testing the PoC: Marc (@h4ng3r), Ignasi (@Ny4nyi), Iñaki (@virtualminds_es) and Hector (@3v4Si0N).