CVE-2020-0655
Information
Module: KernelBase.dll
Functions: PathCanonicalize() and PathCchCanonicalize()
PathCanonicalize (which is now deprecated) and PathCchCanonicalize are responsible for converting an attacker controlled path into a canonicalized form, so that the path could be sanitized to prevent a possible Path Traversal attack. However, it seems that all of the tested versions of these functions are only aware of the Back Slash (‘\’) char as a path separator, and ignore the Forward Slash (‘/’) char which can be used for the exact same purpose.
A programmer is supposed to perform the following operations for sanitizing a given path:
- Concatenate all different parts
- Canonicalize the path
- Check that the canonical path starts with the wanted prefix
Intended Behavior:
Base\Inner\+..\Evil.bat==>Base\Inner\..\Evil.batBase\Inner\..\Evil.bat==>Base\Evil.bat- Verdict: Reject.
Reason:Base\Evil.batdoesn’t start withBase\Inner
Same test, now with ‘/’:
Base\Inner\+../Evil.bat==>Base\Inner\../Evil.batBase\Inner\../Evil.bat==>Base\Inner\../Evil.bat(nothing changed)- Verdict: Approve.
Reason:Base\Inner\../Evil.batstarts withBase\Inner
This vulnerability caused the patch for CVE-2019-0887 (Remote Desktop Services Remote Code Execution Vulnerability) to be partial, and we managed to bypass it by using ‘/’ instead of ‘\’ in our exploit path.
Microsoft refers to their improper fix of CVE-2019-0887 as CVE-2020-0655.
Microsoft added a workaround for their RDP client (inside mstscax.dll), while PathCchCanonicalize() could still be bypassed if used in other cases.
References:
https://research.checkpoint.com/2020/reverse-rdp-the-path-not-taken/
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://research.checkpoint.com/reverse-rdp-the-hyper-v-connection/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0877
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0655