CVE-2020-1300: Remote Code Execution Through Microsoft Windows CAB Files
July 09, 2020 | Trend Micro Research TeamIn this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Pengsu Cheng and Yazhi Wang of the Trend Micro Research Team detail a recent code execution vulnerability in Microsoft Windows. The bug was originally discovered and reported by Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab. The following is a portion of their write-up covering CVE-2020-1300, with a few minimal modifications.
A directory traversal vulnerability has been reported in Microsoft Windows. The vulnerability is due to a lack of sanitization of file paths inside a CAB file. All supported versions of Microsoft Windows are affected by this bug.
A remote attacker could exploit this vulnerability by enticing a user into opening a crafted file or installing a remote printer. Successful exploitation could result in the execution of arbitrary code in the security context of SYSTEM.
The Vulnerability
Cabinet (CAB) is an archive file format invented by Microsoft to support lossless data compression and embedded digital certificates. It has been used widely on Windows platforms for multiple applications.
A cabinet file contains a cabinet header (CFHEADER), followed by one or more cabinet folder (CFFOLDER) entries, a series of one or more cabinet file (CFFILE) entries, and the actual compressed file data in CFDATA entries. The compressed file data in the CFDATA entry is stored in one of several compression formats, as indicated in the corresponding CFFOLDER structure [PDF]. The structure of the CFHEADER has the following format:
The CFFOLDER entries immediately follow the CFHEADER structure. Each CFFOLDER entry contains information about one of the folders or partial folders stored in this cabinet file. Each folder can have multiple files, and each file has one CFFILE entry to describe it. The CFFILE entries follow the CFFOLDER entries in a CAB file and can be located by the coffFiles field in the CFHEADER structure. The number of CFFILE entries is specified in the CFHEADER structure by the cFiles field. A CFFILE entry has the following format:
The szName
field is a NULL-terminated string specifying the name of the file. After the CFFILE entries, there appear the CFDATA entries, which contain the file contents.
Microsoft has developed the Cabinet API to support handling Cabinet files on the Windows platform. Many Microsoft applications use this API. To extract all files from a CAB file, the application commonly will use the FDICopy function and specify a callback function to handle all events during the extraction operation. For example, callback function NCabbingLibrary::FdiCabNotify()
is observed to be used in the dynamic link library localspl.dll
and the executable PrintBrmEngine.exe
when handling CAB files for printer-related applications. The function handles multiple types of notifications during the extraction, such as fdintCABINET_INFO
, fdintPARTIAL_FILE
, fdintCOPY_FILE
, fdintCLOSE_FILE_INFO
, fdintNEXT_CABINET
and fdintENUMERATE
. Of relevance to this report is the notification type fdintCOPY_FILE
, which is called at the start of the processing of each file within the cabinet, providing the opportunity for the application to request that the file be copied or skipped.
A directory traversal vulnerability exists in several Microsoft applications when handling CAB files, including the Print Spooler application and the Print Management Console (printmanagement.msc
). These applications share the same code for function NCabbingLibrary::FdiCabNotify()
when extracting all files inside a CAB file. Each time the Cabinet API handles a CFFILE and corresponding CFDATA entry in a CAB file, it sends notification fdintCOPY_FILE
to the callback function NCabbingLibrary::FdiCabNotify()
with all information extracted from those entries. The vulnerability is due to a lack of input validation of the szName
field in the CFFILE entry. When the affected function handles the notification fdintCOPY_FILE
, the szName
field is delivered as the file name. The function then concatenates the file name with a path to a temporary folder to generate an absolute file path. The temporary folder path is given by:
%userprofiles%\AppData\Local\[Some UUID]\
The affected function checks the szName
field for directory traversal appearing as dot-dot- backslash (..). However, it fails to consider the alternative syntax of dot-dot-slash (../), which also works on Windows platforms. If the CAB file contains a CFFILE entry with szName
field as shown below, the extracted file will be written outside the correct path:
../../../../../../some_file_name
Moreover, since the Print Spooler application runs in the security context of SYSTEM, this leads to an arbitrary file write in any location on the target.
A remote attacker could exploit this vulnerability by enticing a victim to open a crafted file or install a remote printer. Successful exploitation could result in the execution of arbitrary code in the security context of SYSTEM.
Source Code Walkthrough
The following code snippet was taken and decompiled from PrintBrmEngine.exe
version 10.0.18362.894.
To trigger the vulnerability, an attacker would need to deliver a malformed CAB file to a target machine or set up a remote printer with the malicious CAB file. Within the CAB file, the szName
field of a CFFILE
record must contain multiple “../” strings. The vulnerability is triggered when one of the affected applications parses the malformed CAB file.
The Patch
Microsoft patched this bug in the June release cycle. According to their write-up, this was fixed by “correcting how Windows handles cabinet files.” No further details about the fix are available. Although no exploits have been reported at this time, you should avoid opening CAB files until you apply the patch.
Special thanks to Pengsu Cheng and Yazhi Wang of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit http://go.trendmicro.com/tis/.
The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the ZDI team for the latest in exploit techniques and security patches.