CVE-2020-1337 icon indicating copy to clipboard operation
CVE-2020-1337 copied to clipboard

CVE-2020-1048 bypass: binary planting PoC

CVE-2020-1337 - Binary Planting (CVE-2020-1048 bypass)

Peleg Hadar (@peleghd) and Tomer Bar at SafeBreach (@safebreach) were acknowledged by Microsoft by the CVE-2020-1048, a Windows Spooler Vulnerability that allows an elevation of privilege on Windows 7 and later.

Some details were disclosed by Alex Ionescu (@aionescu) and Yarden Shafir (@yarden_shafir) on his cool blog post PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth (CVE-2020-1048 & more). Using this knowledge I found a bypass for the patch using Windows junction points and symlinks (kudos to James Forshaw @tiraniddo).

My report was a dupe because the root cause was previously reported by someone else and the report was assigned the CVE-2020-1337, a really c00l CVE :-)

This C# code allows to place a malicious DLL to the local C:\windows\system32 directory in order to be loaded by a DLL hijacking vulnerable application or service.

Blog post: CVE-2020-1337: my two cents; also in spanish.

How to compile

Use Visual Studio in order to get a self-contained binary. The magic is done using the next Nuget packages:

How to use

Place the binary and your malicious file in the same path and execute the first step:

First Step

Manually reboot the system and execute the second step to finally plant your DLL with its final name:

Second Step
