Microsoft released a vulnerability patch for the Windows operating system in June this year. Attackers can use the vulnerability to increase its privileges to the kernel level on the compromised computer. The patch does not completely fix the vulnerability.
This vulnerability was used as a 0-day weapon by advanced hackers in May of this year. Security researchers disclosed the PoC code of the vulnerability on December 23, using another method to prove that the vulnerability can still be exploited.
Security researcher Maddie Stone of the Google Project Zero team discovered that the patch released by Microsoft in June did not fix the original vulnerability (CVE-2020-0986), and with some adjustments, the vulnerability can still be exploited.
In May 2020, the vulnerability was used in a wild attack to elevate permissions, and an Internet Explorer vulnerability that could lead to remote code execution was also exploited. When Kaspersky discovered the attack, both vulnerabilities were in a 0-day state.
Stone said that the attacker does not send a pointer, but by sending an offset, it can still trigger CVE-2020-0986, and then raise the authority to the kernel level.
The researcher pointed out in detail on Twitter that the initial vulnerability was an arbitrary pointer backreference vulnerability, allowing an attacker to control the “src” and “dest” pointers to the memcpy function.
Microsoft’s fix for the vulnerability is improper, it changed the pointer to an offset, so the parameters of the function can still be controlled.
Stone explained how to trigger the vulnerability in the technical report, and Microsoft assigned a new number CVE-2020-17008 to the vulnerability.
In order to confirm that the vulnerability could still be exploited after Microsoft released the patch, Stone adjusted Kaspersky’s original PoC and disclosed the revised PoC and guidance on how to run the PoC correctly.
The researcher added that what the PoC did was to trigger the vulnerability twice, “first leak the heap address of the stored message and the added offset to generate a pointer, and then perform arbitrary writes.”
Microsoft received the report on September 24 and confirmed the vulnerability a day later. Microsoft originally planned to release the vulnerability patch in November 2020, but other issues were discovered during the testing phase. The vulnerability patch will be postponed to January 2021 on Patch Tuesday.
The Google Project Zero team’s vulnerability disclosure period is 90 days, and if vendors need more time to roll out patches, it can be extended for another 14 days. As Microsoft notified that the patch could not be rolled out before January 6 next year, neither of these two deadlines could be met.
In addition, Stone stated that the attacker has used the vulnerability before and is familiar with the vulnerability. If the vulnerability is not fully repaired, the attacker may use it again.