Exploit for not full patched Windows 0-day vulnerability CVE-2020-0986

[German]Security researchers have proven that a vulnerability patched in Windows in July 2020 is still exploitable. The patch does not close a vulnerability sufficiently, so there is another way to exploit it.


The CVE-2020-0986 vulnerability

In May 2020, security researchers from Google Project Zero had described the CVE-2020-0986 vulnerability in this document. The Zero Day Initiative also described the vulnerability on May 19, 2020.  Security researchers from Kaspersky found an Untrusted Pointer Dereference in Windows 10 1909/1903 and earlier versions. Microsoft writes about it:

A privilege escalation vulnerability exists that is caused by the Windows kernel not properly processing objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code in kernel mode. The attacker could then install programs; view, modify, or delete data; or create new accounts with unrestricted user privileges.

To exploit this vulnerability, an attacker must first log on to the system. An attacker can then run a specially crafted application to take control of an affected system. In June 2020, Microsoft released a security update to close this vulnerability (see).   

Vulnerability still exploitable

Security researcher Maddie Stone of Google Project Zero has now discovered that Microsoft’s June 2020 patch did not fix the original vulnerability (CVE-2020-0986). After some adjustments, the vulnerability can still be exploited. It points this out in some tweets.

Windows Schwachstelle CVE-2020-0986

In the Google Project Zero bug tracker, there is a note from September 2020 that the CVE-2020-0986 vulnerability, which was exploited in the wild at the time, is unpatched. To exploit the vulnerability, only exploit method needs to be changed. A low integrity process can send LPC messages to splwow64.exe (medium integrity) and gain a write-what-where privilege in splwow64’s memory space. Thus, there is a privilege elevation and the attacker can control the destination, the contents that are copied, and the number of bytes copied by a memcpy call.


Stone created a proof of concept (PoC) and notified Microsoft. The description in Google Project Zero has now been automatically published after 90 days. Currently, there is no patch for the vulnerability from Microsoft, as the plan to release an update by November 2020 could not be met. Serious problems with the update were found during testing. Microsoft has already said that an update will not be available before January 6, 2020. More hints can be found at Bleeping Computer.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *