Windows: splWOW64 Elevation of Privilege
Platform: Windows 10 2004 (19041.508)
Class: Elevation of PrivilegeSummary: CVE-2020-0986, which was exploited in the wild[1] was not fixed. The vulnerability still exists, just the exploitation method had to change.
A low integrity process can send LPC messages to splwow64.exe (Medium integrity) and gain a write-what-where primitive in splwow64’s memory space. The attacker controls the destination, the contents that are copied, and the number of bytes copied through a memcpy call. The offset for the destination pointer calculation is only constrained to be:
Offset <= 0x7FFFFFFF
Offset + perceived size of structure <= 0x7FFFFFFFSplwow64 passes the LPC message to GdiPrinterThunk. The vulnerable memcpy is in message 0x6D. …
|
There are isolated problems with current patches, but they are well-known and documented on this site. |
-
Project Zero : Windows: splWOW64 Elevation of Privilege
- This topic has 3 replies, 4 voices, and was last updated 4 years, 5 months ago.
AuthorViewing 2 reply threadsAuthor-
There are hints in that thread on the Project Zero page that you link to that MS may very well have a patch next month on Patch Tuesday. Time will tell, of course.
The bug was disclosed because MS couldn’t meet Project Zero’s normal time line nor could they meet an extended time line for patching the bug.
From what’s mentioned on the Project Zero page and in an article on Bleeping Computer about the bug, sounds like MS took the easy way out of the bug back in May/June and left themselves open hoping nobody would notice. OOPS!!
-
As this seems to require software running on the local machine it is easy to mitigate – don’t run dodgy software on your machine.
cheers, Paul
1 user thanked author for this post.
-
Looked into CVE-2020-0986 as unpatched privilege escalations in Windows are hot right now. Articles are a bit misleading, this only allows privilege escalation from low-integrity to medium integrity – useful for exploit chains but it's not SYSTEM privileges. Interesting bug tho. pic.twitter.com/QIFN8bj5Aa
— Hacker Fantastic (@hackerfantastic) December 24, 2020
From CVE timeline:2020-10-27 Microsoft assigns CVE-2020-17008 for this issue, noting that while the fix was planned for November, that has slipped to December.
2020-12-03 Microsoft advises that due to issues identified in testing, the fix will now slip to January 2021.
2020-12-08 Meeting between MSRC and Project Zero leadership to determine details and discuss next steps. The 14-day grace period is unavailable as Microsoft do not plan to patch this issue before Jan 6 (next patch Tuesday is Jan 12).
Viewing 2 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
.NET 8.0 Desktop Runtime (v8.0.16) – Windows x86 Installer
by 5 hours, 37 minutes ago
-
Neowin poll : What do you plan to do on Windows 10 EOS
by 1 hour, 21 minutes ago
-
May 31, 2025—KB5062170 (OS Builds 22621.5415 and 22631.5415 Out-of-band
by 4 hours, 12 minutes ago
-
Discover the Best AI Tools for Everything
by 4 hours, 20 minutes ago
-
Edge Seems To Be Gaining Weight
by 5 hours, 3 minutes ago
-
Rufus is available from the MSFT Store
by 2 hours, 32 minutes ago
-
Microsoft : Ending USB-C® Port Confusion
by 1 day, 5 hours ago
-
KB5061768 update for Intel vPro processor
by 11 hours, 48 minutes ago
-
Outlook 365 classic has exhausted all shared resources
by 7 hours, 59 minutes ago
-
My Simple Word 2010 Macro Is Not Working
by 1 day, 1 hour ago
-
Office gets current release
by 1 day, 3 hours ago
-
FBI: Still Using One of These Old Routers? It’s Vulnerable to Hackers
by 2 days, 17 hours ago
-
Windows AI Local Only no NPU required!
by 2 days, 2 hours ago
-
Stop the OneDrive defaults
by 2 days, 18 hours ago
-
Windows 11 Insider Preview build 27868 released to Canary
by 3 days, 4 hours ago
-
X Suspends Encrypted DMs
by 3 days, 6 hours ago
-
WSJ : My Robot and Me AI generated movie
by 3 days, 7 hours ago
-
Botnet hacks 9,000+ ASUS routers to add persistent SSH backdoor
by 3 days, 7 hours ago
-
OpenAI model sabotages shutdown code
by 3 days, 8 hours ago
-
Backup and access old e-mails after company e-mail address is terminated
by 2 days, 20 hours ago
-
Enabling Secureboot
by 3 days, 3 hours ago
-
Windows hosting exposes additional bugs
by 3 days, 16 hours ago
-
No more rounded corners??
by 3 days, 12 hours ago
-
Android 15 and IPV6
by 3 days, 1 hour ago
-
KB5058405 might fail to install with recovery error 0xc0000098 in ACPI.sys
by 4 days, 4 hours ago
-
T-Mobile’s T-Life App has a “Screen Recording Tool” Turned on
by 4 days, 7 hours ago
-
Windows 11 Insider Preview Build 26100.4202 (24H2) released to Release Preview
by 4 days, 1 hour ago
-
Windows Update orchestration platform to update all software
by 4 days, 14 hours ago
-
May preview updates
by 4 days, 1 hour ago
-
Microsoft releases KB5061977 Windows 11 24H2, Server 2025 emergency out of band
by 3 days, 17 hours ago
Remembering Woody
