CVE-2020-17001

tags: #cve-analysis

• metadata
  • CVE #: CVE-2020-17001
  • Related CWE(s):
    • CWE - 664 - Improper Control of a Resource Through its Lifetime - (664)
      • Use of Incorrectly-Resolved Name or Reference - (706)
        • CWE - 59 - Improper Link Resolution Before File Access (‘Link Following’)
  • Related CVE(s):
    • CVE-2020-1337
    • CVE-2020-1048
  • created: 2021-01-29
  • title: Windows: Local Spooler CVE-2020-1337 Bypass
  • web: https://bugs.chromium.org/p/project-zero/issues/detail?id=2075&q=CVE-2020-17001&can=1
  • platform: Windows
  • descriptor tags: #cve #security #pathCanonacalization

CVE-2020-17001

Summary

The fix for CVE-2020-1337 is incomplete and is still vulnerable to a TOCTOU issue. You can bypass the fix for CVE-2020-1337, which seems to involve checking the final pathname and whether there’s any hardlinks by using a local SMB path as your target. As the path returned from GetFinalPathNameByHandle is the UNC path this doesn’t change even if the directory locally becomes a mount point.

This is yet another way to write an arbitrary file as SYSTEM. Actually it is the same way as CVE-2020-1048, just another bypass.

CVE-2020-17001 was detailed by James Forshaw in his bug report. He details yet another way to break the path validation by using a UNC path for the port assignment.

Components affected

• Windows Print Spooler - issue with underlying path resolution subsytem in Windows. Specifically a UNC path.
• Windows File-Based Canonicalization -

Security Boundaries

which security boundaries have been crossed?

• User - A user cannot access or tamper with the code and data of another user without being authorized.

Hashtags

connect CVE to a specific topic, event, theme or concept #EoP #lpe #printers #impersonation #privFileWrite #symlink #TOCTOU

Requirements

what stars needed to align?

• User context
• Use of UNC path for that of the printer port.
• All the requirements of CVE-2020-1048
• Controlling Print Spooler State (TOCTOU symlinks)

Fundamental Issue / Root Cause

Best Fit Vulnerability Class (or CWE) for this CVE

CWE-59: Improper Link Resolution Before File Access (‘Link Following’)

4.The GetFinalPathNameByHandle function will try to retrieve the final path of the UNC path, but won’t be able to, so it will return the UNC path which the user has write permissions to, which means the exploitation will be successful.

Is this CVE the Root Cause or a Causal Factor?

• causal factor - major contributor to an undesirable condition that if eliminated, would have either prevented the occurrence of the incident or reduced its severity or frequency

It’s clear that this is just another contributor to the ability to write files as SYSTEM. The major issue still being the self impersonation issue within spooler. See CVE-2020-1048

Patch Info

Version

Release Date	Product	Platform	impact	Severity	Article	Download	Details
01/12/2021	Windows 10 Version 2004 for x64-based Systems	-	Security Feature Bypass	Important	4598242	Security Update	CVE-2021-1678

Treating a Symptom or Cure?