As the year draws to a close, we thought it would be fun to look back at some of the best submissions we received throughout 2020. We’re very close to having a record-breaking year in terms of published advisories, so narrowing 1,400+ bugs to just five was quite the challenge. In the end, we came up with the following submissions from 2020 that stood out from the pack. Without further ado and presented in no particular order, here are our Top 5 submissions for 2020.
CVE-2020-0688/ZDI-20-258: Microsoft Exchange Server Exchange Control Panel Fixed Cryptographic Key Remote Code Execution Vulnerability
This bug was reported to the program by an anonymous researcher. This highly critical vulnerability in Microsoft Exchange Server allows any authenticated Exchange user to gain SYSTEM privileges on the server. The vulnerability is found in the Exchange Admin Center web interface. Even though this web interface is called an “Admin” interface, by default it is available to any user who has credentials to a mailbox on the Exchange server and is exposed on the network alongside Outlook Web Access. The vulnerability relates to the cryptographic keys (“machine keys”) installed in the Exchange Admin Center ASP.NET application. Exchange should generate these keys randomly at install time so that they will be secret and unique to every installation. Instead, they are copied verbatim from install media, so that an outside attacker can know these keys by referring to any other installation of the product. An attacker can use knowledge of the keys to forge messages that will be deserialized at the server, leading to arbitrary code execution. Vulnerabilities in Exchange Server are highly significant because Exchange is at the nerve center of the enterprise, making it an exceptionally valuable target for adversaries. If your organization has not yet applied the patch, it is imperative to do so at the very earliest time. For further details about this bug, including a video of the bug in action, refer to our previous blog covering the full details of this vulnerability.
CVE-2020-3992/ZDI-20-1377: VMware ESXi SLP Use-After-Free Remote Code Execution Vulnerability
This bug was discovered by ZDI vulnerability researcher Lucas Leong. ESXi is an enterprise-class hypervisor developed by VMWare. One of the protocols enabled by default in ESXi is the Service Location Protocol (SLP). SLP is a protocol that enables clients to discover networked services. The most popular implementation of SLP is OpenSLP. However, Lucas discovered that ESXi is using their own custom implementation. Furthermore, there were flaws in this custom implementation that led to two critical security issues. One of these security issues resulted in an SLPMessage object being freed within
SLPDProcessMessage() despite the program still retaining a reference to the freed object in the SLPDatabase structure. This results in a Use-After-Free (UAF) condition that can be exploited by a remote attacker within the WAN environment. This vulnerability was initially reported as ZDI-CAN-11563. However, the security patch produced by VMWare did not fully address the issue. This resulted in a bypass that was reported to VMWare as ZDI-CAN-12190. It should be noted that in addition to being remotely exploitable, these SLP bugs can be used for sandbox escapes by processes running within a restricted environment. This vulnerability is a great example that even heavily researched products such as ESXi contain attack surfaces that are often overlooked with dangerous security implications.
CVE-2020-9850/ZDI-20-672: Apple Safari in Operator JIT Type Confusion Remote Code Execution Vulnerability
This bug was reported during the spring Pwn2Own competition by the team from the Georgia Tech Systems Software & Security Lab. This bug is a portion of an interesting chain of bugs that starts with Webkit’s type confusion in the DFG tier, similar to last year’s bug. Then comes Safari’s ability to execute “.app” symlinks, which is aided by a heap overflow bug in OpenGL’s CVM (Core Virtual Machine). Add to that a first-time app protection bypass, root access, and privilege escalation in cfprefsd and kextload respectively due to race conditions. The end result was a successful Pwn2Own demonstration, which earned the team $70,000. The dedication of those researchers in finding and exploiting six vulnerabilities is mind-boggling. This all occurs behind the scenes when an unsuspecting victim visits a simple web page. Imagine browsing the web and 10 seconds later, malicious code is running on your machine. That is pretty neat I would say.
CVE-2020-7460/ZDI-20-949: FreeBSD Kernel sendmsg System Call Time-Of-Check Time-Of-Use Privilege Escalation Vulnerability
This vulnerability was reported to the ZDI program by a researcher who goes by the name m00nbsd. The bug allows an attacker to achieve kernel-level code execution on FreeBSD starting from an unprivileged user using a Time-Of-Check Time-Of-Use (TOCTOU) vulnerability present in the 32-bit
sendmsg() system call. The vulnerability is a double-fetch bug in a system call. To trigger the overflow, userland must quickly replace one of the
MsgLen values with a bigger value between the first access and the second access. An attacker could trigger this by spawning a thread that calls
sendmsg() in a loop, giving it correct arguments. They could then spawn another thread that replaces one of the MsgLen with a gigantic value and then puts back the correct value in a loop. Wait for the two threads to race and the overflow will be triggered. It is surprising that the depth of the bug is quite shallow and yet it survived for many years. We previously blogged about this bug back in September, and you can read all of the details (including PoC) here.
CVE-2020-17057/ZDI-20-1371: Microsoft Windows DirectComposition Uninitialized Pointer Privilege Escalation Vulnerability
This bug was reported to the ZDI program by an anonymous researcher. This is a vulnerability the Windows DirectComposition kernel-mode graphics component. The
win32kbase!DirectComposition::CInteractionTrackerMarshaler::SetBufferProperty function populates an object of type
DirectComposition::CInteractionTrackerMarshaler based upon data passed from user mode. If this function encounters invalid data, it branches to an error path, which attempts to release resources the function has already created and stored in the object. Due to a bug in this error path, the function can be influenced to release a pointer that was never initialized. This gives an attacker control over the instruction pointer in kernel mode, which can be leveraged to gain SYSTEM privileges.
Thanks for joining us as we recapped some of the best bugs submitted to the ZDI program this year. It’s been an amazing year for the program as we celebrated 15 years of operation. Many things have changed over the years, but our desire to work with independent security researchers from around the globe has never wavered. If you have submitted to the program, we thank you for your hard work and participation. If you haven’t submitted to the program, we hope you consider doing so in the future.
Until then, you can follow the ZDI team on Twitter for the latest in exploit techniques and security patches.
The Top 5 Bug Submissions of 2020