Hacking

Google reported that Microsoft failed to fix a Windows zero-day flaw

Google’s Project Zero experts publicly disclosed details of an improperly patched zero-day code execution vulnerability in Windows.

White hat hackers at Google’s Project Zero team has publicly disclosed details of an improperly patched zero-day vulnerability in Windows.

The vulnerability tracked as CVE-2020-0986, resides in the Print Spooler API and could be exploited by a threat actor to execute arbitrary code.

Google experts published the details of the vulnerability after Microsoft failed to address the issue within 90 days of responsible disclosure on September 24.

The flaw was reported to Microsoft by an anonymous user working with Trend Micro’s Zero Day Initiative (ZDI) in December 2019.

“The vulnerability is almost exactly the same as CVE-2019-0880 [detailed technical analysis]. Just like CVE-2019-0880, this vulnerability allows the attacker to call memcpy with arbitrary parameters in the splwow64 privileged address space. The arbitrary parameters are sent in an LPC message to splwow64.” reads the security advisory. “In this case, the vulnerable message type is 0x6D, which is the call to DocumentEvent. After DocumentEvent is called from GdiPrinterThunk, a call to memcpy can occur as long as you craft specific fields in your LPC message to the right values. This memcpy call is at gdi32full!GdiPrinterThunk+0x1E85A.”

Splwow64.exe is a Windows core system file that allows 32-bit applications to connect with the 64-bit printer spooler service on x64 Windows builds.

On May 19, 2010, ZDI published an advisory after that threat actors exploited the flaw in the wild in a campaign tracked as “Operation PowerFall.”

In May 2020, Kaspersky experts spotted an attack on a South Korean company, threat actors chained two zero-day exploits: a remote code execution exploit for Internet Explorer and an elevation of privilege exploit for Windows.

“This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.” reads the ZDI’s advisory.

“The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute code in the context of the current user at medium integrity.”

An attacker could exploit this zero-day to manipulate the memory of the “splwow64.exe” process to achieve execution of arbitrary code in kernel mode. The flaw could allow installing malicious programs, view, change, or delete data, and create new accounts with full user rights.

Microsoft attempted to address the issue with the June Patch Tuesday security updates, but Google Project Zero experts discovered that the issue has not been fully solved.

“CVE-2020-0986, which was exploited in the wild[1] was not fixed. The vulnerability still exists, just the exploitation method had to change.” reads the advisory published by Google Project Zero researcher Maddie Stone.

The issue received a new CVE, CVE-2020-17008, and will be likely fixed by Microsoft in January.

Google experts have also shared a proof-of-concept (PoC) exploit code for CVE-2020-17008.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Windows)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

3 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

10 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

21 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.