module
Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability
| Disclosed |
|---|
| Mar 10, 2020 |
Disclosed
Mar 10, 2020
Description
This module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the
Background Intelligent Transfer Service (BITS), to overwrite C:\Windows\System32\WindowsCoreDeviceInfo.dll
with a malicious DLL containing the attacker's payload.
To achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which
will result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking
issue within the Update Session Orchestrator Service.
Note that presently this module only works on Windows 10 and Windows Server 2016 and later as the
Update Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested,
so your mileage may vary on Windows Server 2016 and later.
Background Intelligent Transfer Service (BITS), to overwrite C:\Windows\System32\WindowsCoreDeviceInfo.dll
with a malicious DLL containing the attacker's payload.
To achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which
will result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking
issue within the Update Session Orchestrator Service.
Note that presently this module only works on Windows 10 and Windows Server 2016 and later as the
Update Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested,
so your mileage may vary on Windows Server 2016 and later.
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.