Full Report
A while ago Jonas Lykkegaard disclosed a zeroday that could be used to create files in the SYSTEM folder. CVE-2020-16885 got assigned for this vulnerability, and was since patched with KB4580346. This vulnerability was very convenient for Dynamic-link library (DLL) side-loading, which I will show in this blog post. Below you can find his original Twitter message. Unprivileged users are not allowed to create files in system32 folder- on hyper-v hosts they finally realised that unprivileged lives matters too as anyone can now create files there , with creater as owner, just open like this: pic.twitter.com/Pd6nnqhcKZ
Analysis Summary
# Vulnerability: Arbitrary File Creation in SYSTEM Folder via STORVSP (Leads to DLL Sideloading)
## CVE Details
- CVE ID: CVE-2020-16885
- CVSS Score: Not explicitly stated, but implied High severity due to Privilege Escalation potential.
- CWE: CWE-73 (External Control of File Name or Path), leading to CWE-426 (Untrusted Search Path) via DLL Sideloading.
## Affected Systems
- Products: Windows systems utilizing Hyper-V features, including Hyper-V itself, Windows Sandbox, and Windows Credential Guard.
- Versions: Unspecified specific Windows versions, but patched versions are available.
- Configurations: Systems with Hyper-V enabled. Windows Subsystem for Linux (WSL) did not appear to be vulnerable.
## Vulnerability Description
The vulnerability resides in how unprivileged users interact with the Hyper-V STORVSP (Storage Virtual Service Provider), which operates in Kernel mode. An unprivileged user could leverage the `NtCreateFile` function call with a specific path structure utilizing `\Device\STORVSP\vSMB\??\C:\Windows\System32\` to arbitrarily create files within the protected `C:\Windows\System32` directory. Since STORVSP lacked proper privilege checks internally, this allowed the low-privileged attacker to create a file owned by the attacker within system directories.
## Exploitation
- Status: PoC available (demonstrated via Twitter post and blog verification). The vulnerability was described as a "zeroday" prior to patching.
- Complexity: Low (A simple file creation demonstration was shown using a utility like FileTest).
- Attack Vector: Local.
## Impact
This arbitrary file creation capability was specifically convenient for chaining with **DLL Side-loading** attacks, allowing an attacker to place a malicious DLL in `System32` that could subsequently be loaded by a legitimate process running as `NT AUTHORITY\SYSTEM`, resulting in **Local Privilege Escalation (LPE)** to SYSTEM context.
- Confidentiality: Potentially High (If SYSTEM context is achieved).
- Integrity: High (Ability to write files to SYSTEM directories, leading to code execution).
- Availability: Low (Direct impact is low, primarily focused on gaining higher privileges).
## Remediation
### Patches
- KB4580346: This Knowledge Base article contains the official patch addressing CVE-2020-16885.
### Workarounds
As the vulnerability allows arbitrary file creation in sensitive locations, effective mitigation relies on patch deployment. No specific temporary workarounds were detailed other than monitoring file creation events in system directories.
## Detection
- Indicators of Compromise: Creation of new files in high-privilege directories (e.g., `C:\Windows\System32`) originating from processes running under a user profile that is **not** a member of the local Administrators group.
- Detection methods and tools: Monitoring security event logs (e.g., using tools like Sysinternals Process Monitor when testing) for file creation events in system folders by non-administrative users. Hyper-V logs did not show specific events related to this exploit during testing.
## References
- Vendor Advisories: Microsoft advisory addressing CVE-2020-16885 (implied via patch KB4580346).
- Relevant links - defanged:
- Original disclosure (Twitter): hxxps://twitter.com/jonasLyk/status/1303995855364556800
- File Test Utility: hxxp://www.zezula.net/en/fstools/filetest.html
- BlackHat Presentation on Hyper-V Hardening: hxxps://i.blackhat.com/us-18/Thu-August-9/us-18-Rabet-Hardening-Hyper-V-Through-Offensive-Security-Research.pdf