layout	title	parent	grand_parent
default	CVE-2020-1337	CVEs	Resources

tags: #cve-analysis

metadata
- CVE #: CVE-2020-1337
- Related CWE(s):
  - Insufficient Control Flow Management - (691)
    - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - (362)
      - CWE - 367 - Time-of-check Time-of-use (TOCTOU) Race Condition
        
        CWE - 363 - Race Condition Enabling Link Following
- Related CVE(s):
  - CVE-2020-17001
  - CVE-2020-1048
- created: 2021-02-03
- title: A bypass of CVE-2020-1048’s patch
- web: https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/
- platform: Windows
- descriptor tags: #cve #security

CVE-2020-1337

Summary

CVE-2020-1337 is a bypass of (PrintDemon) CVE-2020-1048’s patch via a junction directory. PrintDemon’s patch was made to remediate an Elevation of Privileges (EoP)\Local Privilege Escalation (LPE) vulnerability affecting the Windows’ Print Spooler Service.

Since the check only happens when creating a new port, if the user has read/write permission on that path it will pass the check, but if later, the path change, the Print Spooler service will not check it again and it will directly print to it, leading to a Time-of-check to time-of-use (TOCTOU) vulnerability.

Think CVE-2020-1048 with a directory junction bypass.

Components affected

Windows Print Spooler

Security Boundaries

*which security boundaries have been crossed? **

User - A user cannot access or tamper with the code and data of another user without being authorized.

Hashtags

connect CVE to a specific topic, event, theme or concept #EoP #lpe #printers #impersonation #privFileWrite #symlink #TOCTOU

Requirements

what stars needed to align?

User context
Controlling Print Spooler State
- TOCTOU - Use of directory junction to overcome PortIsValid call

Fundamental Issue / Root Cause

Best Fit Vulnerability Class (or CWE) for this CVE

CWE - 363 - Race Condition Enabling Link Following

Is this CVE the Root Cause or a Causal Factor?

causal factor - major contributor to an undesirable condition that if eliminated, would have either prevented the occurrence of the incident or reduced its severity or frequency

It's clear that this is just another contributor to the ability to write files as SYSTEM. The major issue still being the self impersonation issue within spooler. See CVE-2020-1048

Patch Info

Version

Release Date	Product	Platform	impact	Severity	Article	Download	Details
Nov 10 2020	Windows 10 Version 2004 for x64-based Systems	-	Elevation of Privilege	Important	4586781	Security Update	CVE-2020-17001

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2020-1337.md

CVE-2020-1337.md

CVE-2020-1337

Summary

Components affected

Security Boundaries

Hashtags

Requirements

Fundamental Issue / Root Cause

Best Fit Vulnerability Class (or CWE) for this CVE

Is this CVE the Root Cause or a Causal Factor?

Patch Info

Version

Treating a Symptom or Cure?

Files

CVE-2020-1337.md

Latest commit

History

CVE-2020-1337.md

File metadata and controls

CVE-2020-1337

Summary

Components affected

Security Boundaries

Hashtags

Requirements

Fundamental Issue / Root Cause

Best Fit Vulnerability Class (or CWE) for this CVE

Is this CVE the Root Cause or a Causal Factor?

Patch Info

Version

Treating a Symptom or Cure?