CVE-2020-0787

CVE Published	2020-03-12
Related CWE(s)	CWE-269: Improper Privilege Management, CWE-59: Improper Link Resolution Before File Access ('Link Following')
Related Vendor(s)	microsoft
Related Product(s)	windows_10_1909, windows_10_1507, windows_server_1903, windows_server_1909, windows_8.1, windows_server_2008, windows_10, windows_10_1809, windows_server_2012, windows_10_1607, windows_server_2019, windows_10_1903, windows_7, windows_server_2016, windows_rt_8.1, windows_10_1803, windows_server_1803, windows_10_1709
Exploitation Reported (CISA KEV)	2022-01-28
CVSS 3 Base Score	7.8 (HIGH)
CVSS 3 Attack Complexity	LOW
CVSS 3 Attack Vector	LOCAL

An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links, aka 'Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability'.

Cyber Threat Graph Context

Explore how this CVE relates to the wider threat graph

Associated CAPEC Patterns

Privilege Escalation (CAPEC-233)

An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.

Privilege Abuse (CAPEC-122)

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.

Restful Privilege Elevation (CAPEC-58)

An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.

Using Malicious Files (CAPEC-17)

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

Symlink Attack (CAPEC-132)

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

Leverage Executable Code in Non-Executable Files (CAPEC-35)

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

Manipulating Web Input to File System Calls (CAPEC-76)

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

References

CVE.org

View more information about CVE-2020-0787 on the official MITRE CVE website.

NIST National Vulnerability Database

CVE-2020-0787 on the NIST NVD.

CISA Known Exploited Vulnerabilities