CVE-2020-1241

A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters.To exploit the vulnerability, a locally-authenticated attacker could attempt to run a specially crafted application on a targeted system.The update addresses the vulnerability by correcting how Windows Kernel handles parameter sanitization., aka ‘Windows Kernel Security Feature Bypass Vulnerability’.

Recent assessments:

zeroSteiner at June 12, 2020 9:44pm UTC reported:

A vulnerability exists with the Windows kernel that can be used to bypass the NULL page mitigation feature that prevents users from allocating the memory that exists at the literal address 0. This is required for exploiting the class of memory corruption vulnerabilities known as NULL Page Dereferece or NULL Pointer Derefernce. This vulnerability would not be useful on it’s own but rather would make exploitation of another vulnerability practical.

In order to leverage this vulnerability, Intel’s SGX functionality must be available on the host. From my testing, the required functionality does not appear to be available from within virtual machines, meaning that a vulnerable environment would likely have to run on hardware. The vulnerability exists within the implementation of the NtCreateEnclave.

The function NtCreateEnclave is exposed through ntdll, was added in Windows 10 v1511 and uses the following signature (according to Process Hacker):

NTSYSAPI
NTSTATUS
NTAPI
NtCreateEnclave(
    _In_ HANDLE ProcessHandle,
    _Inout_ PVOID* BaseAddress,
    _In_ ULONG_PTR ZeroBits,
    _In_ SIZE_T Size,
    _In_ SIZE_T InitialCommitment,
    _In_ ULONG EnclaveType,
    _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation,
    _In_ ULONG EnclaveInformationLength,
    _Out_opt_ PULONG EnclaveError
    );

NtCreateEnclave will return 0xc00000bb (STATUS_NOT_SUPPORTED) if the necessary SGX capabilities are unavailable, making identification relatively easy.

I flag this as “No useful access” because it’s most valuable as an exploit primitive, and does not provide any access or information on it’s on.

References: <https://twitter.com/waleedassar/status/1270550282695585792&gt;

Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 3