Microsoft Windows Privilege Escalation Vulnerability(CVE-2020-1054)

Overview:

On May 2020, Microsoft has fixed an Out of Bound Write vulnerability CVE-2020-1054, found in the DrawIconEx function of windows driver file. The bug was reported by CheckPoint Security Researcher Yoav Alon and Netanel Ben-Simon.  Vulnerability occurs due to the Windows kernel-mode driver fails to properly handle objects in memory. This flaw allows local attacker to escalate privileges on vulnerable installations of Microsoft Windows.

Description:

Vulnerability has been found in the DrawIconEx function in win32kfull.sys. Researchers provided following parameters values in a call to DrawIconEx which successfully exploits and escalated privileges to SYSTEM.

Image Source: CheckPoint

On GitHub, researcher provided the demonstration of privilege escalation to SYSTEM by exploiting the out of Bound Write vulnerability CVE-2020-1054.

Image Source: GitHub 0xeb-bp repository

For windows 7 x64 and Windows 10 x64, POC is available on GitHub and CheckPoint.

Specific Windows KB required to run the exploit.

Affected Products:

  • Windows 10 for 32-bit and x64 based Systems
  • Windows 10 Version 1607 for 32-bit and x64 based Systems
  • Windows 10 Version 1709 for 32-bit, x64 and ARM64-based Systems
  • Windows 10 Version 1803 for 32-bit x64 and ARM64-based Systems
  • Windows 10 Version 1809 for 32-bit x64 and ARM64-based Systems
  • Windows 10 Version 1903 for 32-bit x64 and ARM64-based Systems
  • Windows 10 Version 1909 for 32-bit x64 and ARM64-based Systems
  • Windows 7 for 32-bit Service Pack 1 and x64-based Systems
  • Windows 8.1 for 32-bit and x64-based systems
  • Windows RT 8.1
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for Itanium-Based and x64-based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for Itanium-Based and x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1803 (Server Core Installation)
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)

 Advisory:

Update your system with latest patch available on following Microsoft webpage.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1054

Mitigations:

Qualys Threat Research Lab provides protection with the QID(s)# 91636. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.

References & Sources:

https://cpr-zero.checkpoint.com/vulns/cprid-2153/

https://github.com/0xeb-bp/cve-2020-1054

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1054

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *