In June of this year, Microsoft released a patch for a vulnerability in Windows that allows attackers to elevate their rights on a compromised system to the kernel level. However, the patch didn’t work. A problem that skilled hackers exploited back in May before the patch was released can still be used in attacks (albeit in a slightly different way) using the new PoC exploit.
Google Project Zero security researcher Maddie Stone found that the June patch from Microsoft does not completely fix the CVE-2020-0986 vulnerability , and with some modifications it can still be exploited. With its help, attackers can increase their privileges to the kernel level by sending the parameter not a pointer, as before, but offset.
As Stone explained, the original problem was an arbitrary pointer dereference vulnerability and gave the attacker control over the src and dest pointers to the memcpy function. The patch from Microsoft was not effective enough, because it changed pointers to offset, and the attacker could still control the function parameters.
The researcher provided a short technical description of the exploitation of the vulnerability, now identified as CVE-2020-17008 , and published a PoC exploit, which is an adapted version of the exploit for the original vulnerability from Kaspersky Lab.
Microsoft received a message about the new vulnerability on September 24 and confirmed the problem a day later, assigning it the identifier CVE-2020-17008. The company planned to release the patch for November 2020, but due to issues identified during the testing phase, it postponed the release to the next “patch Tuesday” on January 12, 2021.