CVE-2020-0733 Overview
An elevation of privilege vulnerability exists in the Windows Malicious Software Removal Tool (MSRT) due to improper handling of junctions. This vulnerability allows an attacker who already has execution capabilities on a victim system to escalate their privileges, potentially gaining elevated access to sensitive system resources and functions.
Critical Impact
Local attackers with initial execution capability can exploit improper junction handling in MSRT to escalate privileges and gain elevated access to the system.
Affected Products
- Microsoft Windows Malicious Software Removal Tool (all versions prior to patch)
Discovery Timeline
- 2020-02-11 - CVE-2020-0733 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-0733
Vulnerability Analysis
This elevation of privilege vulnerability stems from the Windows Malicious Software Removal Tool's failure to properly validate and handle file system junctions (also known as reparse points). MSRT, which runs with elevated SYSTEM privileges during its scanning operations, follows junctions without adequate verification of their targets. When MSRT processes files or directories during its malware scanning routine, an attacker can manipulate these operations by placing carefully crafted junctions that redirect MSRT's privileged file operations to arbitrary locations.
The exploitation requires an attacker to first gain execution on the target system, meaning this is a local privilege escalation attack rather than a remote compromise. Once initial access is established, the attacker can create symbolic links or directory junctions that cause MSRT to perform privileged operations on attacker-controlled targets during its next execution cycle.
Root Cause
The root cause of CVE-2020-0733 lies in insufficient validation of file system objects during MSRT's privileged operations. The tool fails to verify whether a directory or file it accesses is a junction pointing to an unintended location before performing privileged actions. This creates a TOCTOU (Time-of-Check to Time-of-Use) race condition where an attacker can substitute a legitimate target with a malicious junction between validation and use.
Attack Vector
The attack vector for this vulnerability is local, requiring the attacker to already have code execution capability on the target system. The attack flow typically involves:
- The attacker gains initial execution on the target system through another means (phishing, exploitation, etc.)
- The attacker creates a directory junction in a location that MSRT will process during its scan
- The junction points to a sensitive system location or file the attacker wishes to manipulate
- When MSRT runs (either manually triggered or during scheduled execution), it follows the junction
- MSRT performs privileged file operations (write, delete, modify) on the attacker-specified target
- The attacker achieves privilege escalation through these redirected operations
The vulnerability can be exploited to overwrite system files, modify protected registry keys, or gain SYSTEM-level access through careful manipulation of MSRT's file operations. For detailed technical information, see the Microsoft Security Advisory CVE-2020-0733.
Detection Methods for CVE-2020-0733
Indicators of Compromise
- Unusual junction or symbolic link creation in directories processed by MSRT
- Unexpected file modifications in system directories coinciding with MSRT execution times
- Creation of reparse points in temporary or user-accessible directories
- Suspicious process activity where mrt.exe accesses unexpected file paths
Detection Strategies
- Monitor for junction and symbolic link creation events, particularly in user-writable directories
- Implement file integrity monitoring on critical system files and directories
- Track MSRT execution patterns and correlate with unexpected system file changes
- Deploy endpoint detection solutions capable of identifying junction-based privilege escalation attempts
Monitoring Recommendations
- Enable Windows Security Event logging for file system operations (Event ID 4663)
- Monitor the Windows Security log for privilege escalation indicators
- Track reparse point creation using Sysmon with appropriate configuration rules
- Implement alerts for MSRT (mrt.exe) accessing file paths outside its normal operational scope
How to Mitigate CVE-2020-0733
Immediate Actions Required
- Apply the latest Microsoft security update for Windows Malicious Software Removal Tool
- Ensure MSRT is updated to the latest version through Windows Update
- Review systems for signs of exploitation or unusual junction creation
- Limit user permissions to prevent unauthorized creation of junctions in sensitive directories
Patch Information
Microsoft has released a security update to address this vulnerability. The patch corrects how the Windows Malicious Software Removal Tool handles junctions during file operations. Organizations should ensure that MSRT is updated through the standard Windows Update mechanism. For complete patch details and deployment guidance, refer to the Microsoft Security Advisory CVE-2020-0733.
Workarounds
- Restrict user permissions to prevent creation of junctions in directories MSRT processes
- Implement application whitelisting to limit unauthorized code execution that could precede exploitation
- Use Group Policy to limit junction creation capabilities for non-administrative users
- Deploy SentinelOne endpoint protection for real-time detection and prevention of privilege escalation attempts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
