Two security researchers have published today details about a vulnerability in the Windows printing service that they say impacts all Windows versions going back to Windows NT 4, released in 1996.
The vulnerability, which they codenamed PrintDemon, is located in Windows Print Spooler, the primary Windows component responsible for managing print operations.
The service can send data to be printed to a USB/parallel port for physically connected printers; to a TCP port for printers residing on a local network or the internet; or to a local file, in the rare event the user wants to save a print job for later.
Trivially exploitable local privilege elevation
In a report published today, security researchers Alex Ionescu & Yarden Shafir said they found a bug in this old component that can be abused to hijack the Printer Spooler internal mechanism.
PrintDemon is what researchers call a “local privilege escalation” (LPE) vulnerability. This means that once an attacker has even the tiniest foothold inside an app or a Windows machine, even with user-mode privileges, the attacker can run something as simple as one unprivileged PowerShell command to gain administrator-level privileges over the entire OS.
This is possible because of how the Print Spooler service was designed to work, Ionescu and Shafir said.
Because this is a service meant to be available to any app that wants to print a file, it is available to all apps running on a system, without restrictions. The attacker can create a print job that prints to a file — for example a local DLL file used by the OS or another app.
The attacker can initiate the print operation, crash the Print Spooler service intentionally, and then let the job resume, but this time the printing operation runs with SYSTEM privileges, allowing it to overwrite any files anywhere on the OS.
In a tweet today, Ionescu said exploitation on current OS versions requires one single line of PowerShell. On older Windows versions, this might need some tweaking.
“On an unpatched system, this will install a persistent backdoor, that won’t go away *even after you patch*,” Ionescu said.
The good news is that this has now been patched, hence Ionescu and Shafir’s public disclosure. Fixes for PrintDemon have been released yesterday, with the Microsoft May 2020 Patch Tuesday.
PrintDemon is tracked under the CVE-2020-1048 identifier. Two security researchers from SafeBreach Labs, Peleg Hadar and Tomer Bar, were the first to discover the issue and report it to Microsoft. The two will be presenting their own report on the issue at the Black Hat security conference in August.
Ionescu has also published proof-of-concept code on GitHub with the purpose of aiding security researchers and system administrators investigate the vulnerability and prepare mitigations and detection capabilities.
FaxHell works similarly to PrintDemon, but the researchers exploited the Windows Fax service to overwrite and hijack local (DLL) files to install shells and backdoors on Windows systems.