CVE-2020-1300: Remote Code Execution Through Microsoft Windows CAB Files

The szName field is a NULL-terminated string specifying the name of the file. After the CFFILE entries, there appear the CFDATA entries, which contain the file contents.

Microsoft has developed the Cabinet API to support handling Cabinet files on the Windows platform. Many Microsoft applications use this API. To extract all files from a CAB file, the application commonly will use the FDICopy function and specify a callback function to handle all events during the extraction operation. For example, callback function NCabbingLibrary::FdiCabNotify() is observed to be used in the dynamic link library localspl.dll and the executable PrintBrmEngine.exe when handling CAB files for printer-related applications. The function handles multiple types of notifications during the extraction, such as fdintCABINET_INFO, fdintPARTIAL_FILE, fdintCOPY_FILE, fdintCLOSE_FILE_INFO, fdintNEXT_CABINET and fdintENUMERATE. Of relevance to this report is the notification type fdintCOPY_FILE, which is called at the start of the processing of each file within the cabinet, providing the opportunity for the application to request that the file be copied or skipped.

A directory traversal vulnerability exists in several Microsoft applications when handling CAB files, including the Print Spooler application and the Print Management Console (printmanagement.msc). These applications share the same code for function NCabbingLibrary::FdiCabNotify() when extracting all files inside a CAB file. Each time the Cabinet API handles a CFFILE and corresponding CFDATA entry in a CAB file, it sends notification fdintCOPY_FILE to the callback function NCabbingLibrary::FdiCabNotify() with all information extracted from those entries. The vulnerability is due to a lack of input validation of the szName field in the CFFILE entry. When the affected function handles the notification fdintCOPY_FILE, the szName field is delivered as the file name. The function then concatenates the file name with a path to a temporary folder to generate an absolute file path. The temporary folder path is given by:

       %userprofiles%\AppData\Local\[Some UUID]\

The affected function checks the szName field for directory traversal appearing as dot-dot- backslash (..). However, it fails to consider the alternative syntax of dot-dot-slash (../), which also works on Windows platforms. If the CAB file contains a CFFILE entry with szName field as shown below, the extracted file will be written outside the correct path:

       ../../../../../../some_file_name

Moreover, since the Print Spooler application runs in the security context of SYSTEM, this leads to an arbitrary file write in any location on the target.

A remote attacker could exploit this vulnerability by enticing a victim to open a crafted file or install a remote printer. Successful exploitation could result in the execution of arbitrary code in the security context of SYSTEM.

Source Code Walkthrough

The following code snippet was taken and decompiled from PrintBrmEngine.exe version 10.0.18362.894.

To trigger the vulnerability, an attacker would need to deliver a malformed CAB file to a target machine or set up a remote printer with the malicious CAB file. Within the CAB file, the szName field of a CFFILE record must contain multiple “../” strings. The vulnerability is triggered when one of the affected applications parses the malformed CAB file.