Windows Kernel Elevation of Privilege Vulnerability + PWN-OS-FAKE UPDATE Windows 10 (Local) – FeB 2020

Preface: You can load a custom dll in system32 via diaghub.

Background: Starting from Windows 10, Microsoft introduced the Update Session Orchestrator service. As a regular user, you can interact with this service using COM, and start an “update scan” (i.e. check whether updates are available) or start the download of pending updates for example. There is even an undocumented built-in tool called usoclient.exe, which serves that purpose.

From an attacker’s standpoint, this service is interesting because it runs as NT AUTHORITY\System and it tries to load a non-existent DLL (windowscoredeviceinfo.dll) whenever an Update Session is created.

Vulnerability details: Cyber criminal can load a custom dll in system32 via diaghub.
So the cyber attacker can exploit diaghub.exe (3rd party tool) load the WindowsCoreDeviceInfo.dll to C:\Windows\System32.
Then use netcat (3rd party tool) and use the command nc.exe 1337 to connect to the bindshell.

Remedy CVE-2020-0668 :