Windows Lockscreen Elevation of Privilege Vulnerability - CVE-2020-1398 - Tutorial Boy -->

Windows Lockscreen Elevation of Privilege Vulnerability - CVE-2020-1398





In April 2021, I discovered a security flaw in Windows Recovery Environment Agent which allowed an unauthenticated attacker to gain elevated access to a windows machine in a locked state.

Those research were based on Jonas's findings related to bypassing lock screens (presentation). He described a flaw, which allowed lock screen bypass using the Ease of Access feature.

Looking at CVE-2020-1398, the bug existed in the sticky keys pop-up




By clicking the link, an instance of settings will be spawned in the background. Then you’ll be simply able to bypass the lock screen. Microsoft has patched the issue by removing the link as it no longer appears when being spawned in a lock screen environment.

And to be clear this bug and its descendants need a condition. On Windows 10 machine, at least one user must have a Microsoft account linked to his local account. Otherwise, the bug isn't exploitable.

Now, I'll try to give a short explanation for you humans. Cause if I showed the video PoC you will be confused as hell.


As you can see above, Windows can allow you to reset your password/pin if you had access to your Microsoft account. If you click on "I forgot my PIN" you will be redirected to something like this




I have noticed a weird kind of behavior when typing a wrong password, a small arrow next to the email address will be visible.

This behavior exists for some unknown reason, maybe a bug? feature? probably a bug. (apparently its a feature after the patch)


Clicking there will take us to another page. As we can see that we’re allowed to login with another email address or even create a new account.


I tried to create a new account, login with it but it fails since the account doesn’t belong to the one we are trying to reset its password.

However, this small button right there attracted my attention and hmmm it's interesting



By clicking on it we’ll see another pop-up dialogue, that has a link on it.



Hmmm very interesting, a link ? in the lock screen? weird right. As usual, we’ll click on it and see what happen… clicking on it did absolutely nothing, BUT maybe something was spawned in the background and we can’t see it, as Jonas described in his lock screen bypass, he used to enable the narrator in order to navigate in background apps. I enabled the narrator and got some very interesting results.



When enabled and I click on the button, you can hear the narrator saying “how do you want to open this”, and the narrator’s focus is on something else not in Microsoft account window. We spawned an “Open With” window with the narrator’s focus on it in the background; Typically the “Open With” window looks like this




But only has two options the first is MS Edge and the second one is Internet Explorer, we’ll dig with MS Edge since it’s selected by default, please NOTE that you might HOLD Caps lock while using arrow keys to navigate.

After tests, as soon as we select OK we lose the narrator’s focus and we’re no longer able to control the background window.

We can have the narrator’s focus again as soon as we repeat the steps described above, we’ll have the narrator’s focus again. But this time we’ll have it on MS Edge browser, at this point, we will need to elevate our privileges, the only way I can think of to execute arbitrary commands is to spawn a settings instance. This can be done by spawning another new InPrivate window, (please NOTE: you won’t be able to see any of those, and things will be completely invisible you must use your ear to hear what the narrator say and use it to navigate);




Then you might need to go on “More details”


Press enter and navigate to settings



Which will redirect us to another page, keep navigating until you reach “Windows Diagnostic data setting” and then navigate using a narrator to open and click enter again



In settings navigate to “Home” and press enter




Then navigate to “Devices”


Navigate to Autoplay->Choose Autoplay Defaults->” Open folder to view files(File Explorer)

At this point, you might need to plug a USB device into the device. As soon as plugged narrator will have his focus on file explorer, now you can execute anything in the USB.
In order to verify our findings, I made a simple batch script that will verify our findings

mkdir c:\poc

whoami /all > c:\poc\whoami.log

And after the execution, we can observe a success

Elevating privileges is easy since we’re marked as “NT AUTHORITY\Authenticated Users” as the majority of EoPs are reachable from those privileges.

PoC - https://youtu.be/9rXXfWN0h6A