by Mitja Kolsek, the 0patch Team
Windows 7 and Server 2008 R2 users without Extended Security Updates
have just received a micropatch for CVE-2020-1299, another
"Stuxnet-like" critical LNK remote code execution issue that can get
code executed on user's computer just by viewing a folder with Windows
Explorer.
This vulnerability was patched by Microsoft with June 2020 Updates, but
Windows 7 and Server 2008 users without Extended Security Updates
remained vulnerable.
Security researcher Lê Hữu Quang Linh (@linhlhq) found this vulnerability, published a
detailed analysis and shared a POC with us so we could reproduce the
issue and create a micropatch.
We narrowed the root cause down to the order in which method CKnownFoldersFolder::_ClearCachedObjects (1) deletes a DSA object using a
call to DSA_DestroyCallback and (2) NULLs a pointer to said object. In
vulnerable code, it does it in this order; in patched code, vice versa, as seen on the image below.
Unpatched (left) and patched (right) function CKnownFoldersFolder::_ClearCachedObjects |
Microsoft's patch also moved a CoTaskMemFree call to another code block
but we determined that to have no relevant consequence. Therefore, our
micropatch only needed one single instruction to NULL the pointer to the
DSA object before the call to DSA_DestroyCallback.
MODULE_PATH "..\Affected_Modules\shell32.dll_6.1.7601.24468_64bit\shell32.dll"
PATCH_ID 443
PATCH_FORMAT_VER 2
VULN_ID 6281
PLATFORM win64
patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PATCHLET_OFFSET 0x76C8C
N_ORIGINALBYTES 5
JUMPOVERBYTES 0
code_start
and qword[rbx+0xb8], 0 ; put 0 at rbx+0xb8, which contains a circular pointer to the same
; structure and is going to be deleted twice.
; When the function tries to recursively delete this structure, it follows
; this pointer and causes a double free
code_end
patchlet_end
Here's a video of our micropatch in action:
We'd like to thank security researcher Lê Hữu Quang Linh (@linhlhq)
for a detailed analysis and for sharing their POC with us, which
allowed us to quickly reproduce the issue and produce this micropatch
for Windows users without official security updates..
This
micropatch is immediately available to all 0patch users with a PRO
license, and is targeted at Windows 7 and Windows Server 2008 R2 users
without Extended Security Updates. To obtain the micropatch and have it
applied on your
computer(s) along with other micropatches included with a PRO license,
create an account in 0patch Central, install 0patch Agent and register it to your account. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.
To learn more about 0patch, please visit our Help Center.