Image via CreaPark on Pixabay
Two security researchers have published today details about a vulnerability in the Windows printing service that they say impacts all Windows versions going back to Windows NT 4, released in 1996.
The vulnerability, which they codenamed PrintDemon, is located in Windows Print Spooler, the primary Windows component responsible for managing print operations.
The service can send data to be printed to a USB/parallel port for physically connected printers; to a TCP port for printers residing on a local network or the internet; or to a local file, in the rare event the user wants to save a print job for later.
Trivially exploitable local privilege elevation
In a report published today, security researchers Alex Ionescu & Yarden Shafir said they found a bug in this old component that can be abused to hijack the Printer Spooler internal mechanism.
The bug can’t be used to break into a Windows client remotely over the internet, so it’s not something that could be exploited to hack Windows systems at random over the internet.
PrintDemon is what researchers call a “local privilege escalation” (LPE) vulnerability. This means that once an attacker has even the tiniest foothold inside an app or a Windows machine, even with user-mode privileges, the attacker can run something as simple as one unprivileged PowerShell command to gain administrator-level privileges over the entire OS.
This is possible because of how the Print Spooler service was designed to work, Ionescu and Shafir said.
Because this is a service meant to be available to any app that wants to print a file, it is available to all apps running on a system, without restrictions. The attacker can create a print job that prints to a file — for example a local DLL file used by the OS or another app.
The attacker can initiate the print operation, crash the Print Spooler service intentionally, and then let the job resume, but this time the printing operation runs with SYSTEM privileges, allowing it to overwrite any files anywhere on the OS.
Attackers can exploit CVE-2020-1048 with a single PowerShell command:
Add-PrinterPort -Name c:windowssystem32ualapi.dll
On an unpatched system, this will install a persistent backdoor, that won’t go away *even after you patch*.
See https://t.co/9yMSWNM8VG for more details.
— Alex Ionescu (@aionescu) May 13, 2020
In a tweet today, Ionescu said exploitation on current OS versions requires one single line of PowerShell. On older Windows versions, this might need some tweaking.
“On an unpatched system, this will install a persistent backdoor, that won’t go away *even after you patch*,” Ionescu said.
Patches available
The good news is that this has now been patched, hence Ionescu and Shafir’s public disclosure. Fixes for PrintDemon have been released yesterday, with the Microsoft May 2020 Patch Tuesday.
PrintDemon is tracked under the CVE-2020-1048 identifier. Two security researchers from SafeBreach Labs also independently reported the same issue.
Ionescu has also published proof-of-concept code on GitHub with the purpose of aiding security researchers and system administrators investigate the vulnerability and prepare mitigations and detection capabilities.
For threat hunters:
Scan for any file-based ports with either Get-PrinterPorts in PowerShell, or dump HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPorts. Any ports that have a file path in them especially ending in DLL or EXE should be investigated. https://t.co/wYZn296Gwm— Randy Pargman (@rpargman) May 13, 2020
Last month, Ionescu and Shafir have also published details and proof-of-concept code for a similar vulnerability that they named FaxHell.
FaxHell works similarly to PrintDemon, but the researchers exploited the Windows Fax service to overwrite and hijack local (DLL) files to install shells and backdoors on Windows systems.
