Rapid7 Vulnerability & Exploit Database

CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP

Back to Search

CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP

Disclosed
03/10/2020
Created
01/12/2021

Description

The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December 2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any security checks that would otherwise prevent a normal user from being able to create files in directories they don't have permissions to create files in. This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one of the Meterpreter payloads, as doing so will allow them to subsequently escalate their new session from NETWORK SERVICE to SYSTEM by using Meterpreter's "getsystem" command to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.

Author(s)

  • James Foreshaw
  • Grant Willcox

Platform

Windows

Architectures

x64

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/local/cve_2020_17136
msf exploit(cve_2020_17136) > show targets
    ...targets...
msf exploit(cve_2020_17136) > set TARGET < target-id >
msf exploit(cve_2020_17136) > show options
    ...show and set options...
msf exploit(cve_2020_17136) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;