Peleg Hadar (@peleghd) and Tomer Bar at SafeBreach (@safebreach) were acknowledged by Microsoft by the CVE-2020-1048, a Windows Spooler Vulnerability that allows an elevation of privilege on Windows 7 and later.
Some details were disclosed by Alex Ionescu (@aionescu) and Yarden Shafir (@yarden_shafir) on his cool blog post PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth (CVE-2020-1048 & more). Using this knowledge I found a bypass for the patch using Windows junction points and symlinks (kudos to James Forshaw @tiraniddo).
My report was a dupe because the root cause was previously reported by someone else and the report was assigned the CVE-2020-1337, a really c00l CVE :-)
This C# code allows to place a malicious DLL to the local C:\windows\system32 directory in order to be loaded by a DLL hijacking vulnerable application or service.
Blog post: CVE-2020-1337: my two cents; also in spanish.
Use Visual Studio in order to get a self-contained binary. The magic is done using the next Nuget packages:
Place the binary and your malicious file in the same path and execute the first step:
Manually reboot the system and execute the second step to finally plant your DLL with its final name:
- Alex Ionescu (@aionescu) and Yarden Shafir (@yarden_shafir)
- Peleg Hadar (@peleghd) and Tomer Bar
- James Forshaw (@tiraniddo)
- BC Security (@BCSecurity1)
- All the partners that help me testing the PoC: Marc (@h4ng3r), Ignasi (@Ny4nyi), Iñaki (@virtualminds_es) and Hector (@3v4Si0N).