tags: #cve-analysis

• metadata
  • CVE #: CVE-2020-1337
  • Related CWE(s):
    • Insufficient Control Flow Management - (691)
      • Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) - (362)
        • CWE - 367 - Time-of-check Time-of-use (TOCTOU) Race Condition
          • CWE - 363 - Race Condition Enabling Link Following
  • Related CVE(s):
    • CVE-2020-17001
    • CVE-2020-1048
  • created: 2021-02-03
  • title: A bypass of CVE-2020-1048’s patch
  • web: https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/
  • platform: Windows
  • descriptor tags: #cve #security

CVE-2020-1337

Summary

CVE-2020-1337 is a bypass of (PrintDemon) CVE-2020-1048’s patch via a junction directory. PrintDemon’s patch was made to remediate an Elevation of Privileges (EoP)\Local Privilege Escalation (LPE) vulnerability affecting the Windows’ Print Spooler Service.

Since the check only happens when creating a new port, if the user has read/write permission on that path it will pass the check, but if later, the path change, the Print Spooler service will not check it again and it will directly print to it, leading to a Time-of-check to time-of-use (TOCTOU) vulnerability.

Think CVE-2020-1048 with a directory junction bypass.

Components affected

• Windows Print Spooler

Security Boundaries

*which security boundaries have been crossed? **

• User - A user cannot access or tamper with the code and data of another user without being authorized.

Hashtags

connect CVE to a specific topic, event, theme or concept #EoP #lpe #printers #impersonation #privFileWrite #symlink #TOCTOU

Requirements

what stars needed to align?

• User context
• Controlling Print Spooler State
  • TOCTOU - Use of directory junction to overcome PortIsValid call

Fundamental Issue / Root Cause

Best Fit Vulnerability Class (or CWE) for this CVE

• CWE - 363 - Race Condition Enabling Link Following

Is this CVE the Root Cause or a Causal Factor?

• causal factor - major contributor to an undesirable condition that if eliminated, would have either prevented the occurrence of the incident or reduced its severity or frequency

It’s clear that this is just another contributor to the ability to write files as SYSTEM. The major issue still being the self impersonation issue within spooler. See CVE-2020-1048

Patch Info

Version

| Release Date | Product | Platform | impact | Severity | Article | Download | Details | | ———— | ——————————————— | ——– | ———————- | ——— | —————————————————– | ————————————————————————————— | ————————————————————————————— | | Nov 10 2020 | Windows 10 Version 2004 for x64-based Systems | - | Elevation of Privilege | Important | 4586781 | Security Update | CVE-2020-17001 |

Treating a Symptom or Cure?