RED CURSOR
  • Home
  • Services
  • About
  • Contact
  • Blog

Making a PoC for CVE-2020-0668

4/2/2020

0 Comments

 
Recently Clément Labro released a blog post about an arbitrary file move vulnerability he discovered. This was CVE-2020-0668 which involved abusing Service Tracing to cause an arbitrary file move with the help of symlinks.

I confirmed the vulnerability using the Google Project Zero symboliclink-testing-tools but wanted to create a standalone executable, that could be easily shipped to a target machine to exploit the CVE. C# seemed like an appropriate language as I could leverage the NtApiDotNet package which had done all the hard work for me.
​

Writing the code was as simple as following the instructions in the blog post and making sure I understand the mount point  and symbolic link trickery. Luckily this has been described by James Forshare in a number of blog posts, and implemented in his API methods NtFile.CreateMountPoint and NtSymbolicLink.Create. The complete proof of concept code can be found on GitHub here.
0 Comments



Leave a Reply.

    Author

    Red Cursor

    Archives

    May 2020
    April 2020

    Categories

    All

    RSS Feed

Services

Incident Response and Forensics
Penetration Testing and Ethical Hacking
Specialist Security Consulting
Managed Security Services

COMPANY

About Red Cursor
Contact Us

© COPYRIGHT 2018. ALL RIGHTS RESERVED.
  • Home
  • Services
  • About
  • Contact
  • Blog