NTFS Remote Code Execution (CVE-2020-17096) Analysis

Read the original article: NTFS Remote Code Execution (CVE-2020-17096) Analysis

This is an analysis of the CVE-2020-17096 vulnerability published by Microsoft on December 12, 2020. The remote code execution vulnerability assessed with Exploitation: “More Likely”, grabbed our attention among the last Patch Tuesday fixes.

Diffing ntfs.sys

Comparing the patched driver to the unpatched version with BinDiff, we saw that there’s only one changed function, NtfsOffloadRead.

The function is rather big, and from a careful comparison of the two driver versions, the only changed code is located at the very beginning of the function:

uint NtfsOffloadRead(PIRP_CONTEXT IrpContext, PIRP Irp)
{
PVOID decoded = NtfsDecodeFileObjectForRead(…);
if (!decoded) {
if (NtfsStatusDebugFlags) {
// …

Continue reading NTFS Remote Code Execution (CVE-2020-17096) Analysis at ZecOps Blog.

Become a supporter of IT Security News and help us remove the ads.