• On the radar: An exploit for CVE-2020-1048, Windows Print Spooler elevation of privilege

    It isn’t yet time to go screaming for the exits, but there’s an important analysis of the CVE-2020-1048 security hole, patched in this month’s Patch Tuesday crop. Yarden Shafir and Alex Ionescu dive deep into the “PrintDemon” vulnerability in Windows Internals.

    We can finally talk about some of the very exciting technical details of the Windows Print Spooler, and interesting ways it can be used to elevate privileges, bypass EDR rules, gain persistence, and more. Ironically, the Print Spooler continues to be one of the oldest Windows components that still hasn’t gotten much scrutiny, even though it’s largely unchanged since Windows NT 4, and was even famously abused by Stuxnet

    At this point, Shafir and Ionescu have found a way to use the hole with an (unprivileged!) PowerShell command:

    Add-PrinterPort -Name c:\windows\system32\ualapi.dll

    At this point the attack code has to be typed into a machine, so the hole is a long way from being weaponized in a mainstream attack. But I’ll definitely be watching to see if it turns into something you need to be worried about.

    Thx, @endi24

    UPDATE: Interesting take from Rob VandenBrink on the ISC Storm Center.

    Microsoft rated this as:

    Disclosed: NO
    Exploited: NO
    Exploitability (old and new versions) Exploitation Less Likely

    Unfortunately, this vulnerabiltiy was actually disclosed to Microsoft by the research community (see below), so the code to exploit it absolutely does exist and was disclosed, and a full write-up was posted as soon as the patch came out… Don’t put too much stock in risk ratings assigned to patches.  “Lows” and “Mediums” can bite you just as badly as vulnerabilities rated as “High”.  This goes for patches as well as scan results or pentest results.  If your policy is to patch only Severe and High rated issues, you’ll pay for that eventually.

    I just looked at the CVE article again and, sure enough, it’s still listed as not disclosed, not exploited, and Exploitation less likely.

    ANOTHER UPDATE: Vess Bontchev and Nathan McNulty are trying to figure out how to make it work on Win7. No success report as yet.