Information security specialists Yarden Shafir and Alex Ionescu published information about the PrintDemon vulnerability, associated with the Windows print service. According to the researchers, this problem affects all versions of the OS, starting with Windows NT 4, released back in 1996.
GitHub already has a PoC exploit for PrintDemon.The root of the PrintDemon problem lies in the Windows Print Spooler component, which manages Windows print operations. The service is used to send data for printing to a USB or parallel port (for physically connected printers), to a TCP port (for printers located on a local network or on the Internet), or to a local file (in those rare cases when a user wants to save a job print for the future).
Detected error can be used to compromise the Printer Spooler mechanism. Essentially, PrintDemon is a local privilege escalation (LPE) vulnerability. That is, the problem cannot be used for remote compromise via the Internet, which means that, fortunately, you cannot be afraid of a wave of remote attacks on Windows systems”, – write experts.
Using PrintDemon allows an attacker, which previously had at least some “foothold” in the system, to gain administrator privileges. Since the Print Spooler service is available to any application that wants to print a file,
it is available to all applications running on the system without restrictions.
An attacker can create a print task that would print “to a file”, for example, a local DLL used by the OS or another application. As a result, it will be possible to initiate the print operation, “drop” the Print Spooler, and then resume work, but now the print operation will be performed with SYSTEM privileges and will allow overwriting any files in any place.
Ionescu notes on Twitter that only one line of PowerShell is required to operate the bug in current versions of Windows. In older versions of the OS, an attack may require a little more effort.
In an unpatched system, this will allow to install a stable backdoor that will not disappear *even after installing the patch*, — emphasizes the expert.
As says researcher’s message, a fix for this problem is already available. The patch for PrintDemon vulnerability was included in the May “Tuesday of updates” from Microsoft, and the vulnerability itself received the identifier CVE-2020-1048.
It should be noted that SafeBreach Labs experts were the first to notice this bug, and they also reported it to Microsoft. Researchers will present their own report on this issue at the Black Hat conference, which will be held in August this year.
Recall that we recently talked about 0-day vulnerabilities in atmfd.dll that endangers all versions of Windows.