Google’s Project Zero team of security analysts have released the details of an improperly patched 0-Day vulnerability. The issue can be tracked as CVE-2020-17008 in Windows print spooler API that attackers could exploit to execute arbitrary code on the affected systems.
Microsoft was intimated on 24th September about the issue. The details of the unpatched flaw were made public after Microsoft failed to provide a solution within 90 days of responsible disclosure. Originally the flaw could be tracked as CVE-2020-0986. It is an elevation of privilege vulnerability in the Print Spooler API (splwow64.exe) reported to Microsoft in December 2019 by an anonymous user working with Trend Micro’s Zero Day Initiative (ZDI).
The issue can be tracked as Windows Kernel Elevation of Privilege Vulnerability in the print spooler API. The fact to be worth noticing here is that this flaw was also revealed as a Zero-Day through a public advisory on May 19th, 2020, after which it was exploited in the wild.
splwow64.exe implements a Local Procedure Call (LPC) that can be used to access printing functions by other processes. It also allows 32-bit applications to connect with the 64-bit printer spooler service on 64-bit Windows systems. However, to achieve this attacker would first have to log on to the system.
Zero-Day CVE-2020-17008 Details
Microsoft had addressed CVE-2020-0986 as a part of June’s Patch Tuesday update. New research from Google’s side reveals that the flaw is not completely patched.
Google Project Zero researcher Maddie Stone said in a detailed write-up.
CVE-2020-0986, which was exploited in the wild  was not fixed. The vulnerability still exists, just the exploitation method had to change.
The researcher explained, the only difference between the two is that for exploiting CVE-2020-0986 attacker must send a pointer, and now for CVE-2020-17008, the attacker sends an offset. This is due to the “fix” in which pointers are simply changed to offsets, which still results in the control of the args to the memcpy.
Stone also shared the proof-of-concept (PoC) exploit code with the details for CVE-2020-17008, based on a PoC released by Kaspersky for CVE-2020-0986.
There have been too many occurrences this year of 0days known to be actively exploited being fixed incorrectly or incompletely.
Microsoft was aiming to release a patch in November but postponed the fix due to issues identified in testing.
- Microsoft Windows 10
- Microsoft Windows 10 1607
- Microsoft Windows 10 1709
- Microsoft Windows 10 1803
- Microsoft Windows 10 1809
- Microsoft Windows 10 1903
- Microsoft Windows 10 1909
- Microsoft Windows 10 2004
- Microsoft Windows 8.1
- Microsoft Windows Server 2012
- Microsoft Windows Server 2012 r2
- Microsoft Windows Server 2016
- Microsoft Windows Server 2016 1803
- Microsoft Windows Server 2016 1903
- Microsoft Windows Server 2016 1909
- Microsoft Windows Server 2016 2004
- Microsoft Windows Server 2019
Successful exploitation of this vulnerability by attackers could result in manipulating the memory of the “splwow64.exe” process to achieve elevated privileges, after which the same can be used to install malicious programs; view, change, or delete data; or create new accounts with full user rights.
The newly reported flaw CVE-2020-17008 is expected to be resolved by Microsoft on 12th January 2021, i.e., January 2021 Patch Tuesday.