CVE-2020-1048 bypass: binary planting PoC
Peleg Hadar (@peleghd) and Tomer Bar at SafeBreach (@safebreach) were acknowledged by Microsoft by the CVE-2020-1048, a Windows Spooler Vulnerability that allows an elevation of privilege on Windows 7 and later.
Some details were disclosed by Alex Ionescu (@aionescu) and Yarden Shafir (@yarden_shafir) on his cool blog post PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth (CVE-2020-1048 & more). Using this knowledge I found a bypass for the patch using Windows junction points and symlinks (kudos to James Forshaw @tiraniddo).
My report was a dupe because the root cause was previously reported by someone else and the report was assigned the CVE-2020-1337, a really c00l CVE :-)
This C# code allows to place a malicious DLL to the local C:\windows\system32
directory in order to be loaded by a DLL hijacking vulnerable application or service.
Blog post: CVE-2020-1337: my two cents; also in spanish.
Use Visual Studio in order to get a self-contained binary. The magic is done using the next Nuget packages:
Place the binary and your malicious file in the same path and execute the first step:
Manually reboot the system and execute the second step to finally plant your DLL with its final name: