- CVE #: CVE-2020-17001
- Related CWE(s):
- Related CVE(s):
- created: 2021-01-29
- title: Windows: Local Spooler CVE-2020-1337 Bypass
- web: https://bugs.chromium.org/p/project-zero/issues/detail?id=2075&q=CVE-2020-17001&can=1
- platform: Windows
- descriptor tags: #cve #security #pathCanonacalization
The fix for CVE-2020-1337 is incomplete and is still vulnerable to a TOCTOU issue. You can bypass the fix for CVE-2020-1337, which seems to involve checking the final pathname and whether there’s any hardlinks by using a local SMB path as your target. As the path returned from GetFinalPathNameByHandle is the UNC path this doesn’t change even if the directory locally becomes a mount point.
This is yet another way to write an arbitrary file as
SYSTEM. Actually it is the same way as CVE-2020-1048, just another bypass.
- Windows Print Spooler - issue with underlying path resolution subsytem in Windows. Specifically a UNC path.
- Windows File-Based Canonicalization -
which security boundaries have been crossed?
- User - A user cannot access or tamper with the code and data of another user without being authorized.
connect CVE to a specific topic, event, theme or concept #EoP #lpe #printers #impersonation #privFileWrite #symlink #TOCTOU
what stars needed to align?
- User context
- Use of UNC path for that of the printer port.
- All the requirements of CVE-2020-1048
- Controlling Print Spooler State (TOCTOU symlinks)
4.The GetFinalPathNameByHandle function will try to retrieve the final path of the UNC path, but won’t be able to, so it will return the UNC path which the user has write permissions to, which means the exploitation will be successful.
- causal factor - major contributor to an undesirable condition that if eliminated, would have either prevented the occurrence of the incident or reduced its severity or frequency
It’s clear that this is just another contributor to the ability to write files as
SYSTEM. The major issue still being the self impersonation issue within spooler. See CVE-2020-1048
|01/12/2021||Windows 10 Version 2004 for x64-based Systems||-||Security Feature Bypass||Important||4598242||Security Update||CVE-2021-1678|