News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • On the radar: An exploit for CVE-2020-1048, Windows Print Spooler elevation of privilege

    Home Forums AskWoody blog On the radar: An exploit for CVE-2020-1048, Windows Print Spooler elevation of privilege

    Viewing 5 reply threads
    • Author
      Posts
      • #2262455 Reply
        woody
        Da Boss

        It isn’t yet time to go screaming for the exits, but there’s an important analysis of the CVE-2020-1048 security hole, patched in this month’s Patch T
        [See the full post at: On the radar: An exploit for CVE-2020-1048, Windows Print Spooler elevation of privilege]

        2 users thanked author for this post.
      • #2262642 Reply
        anonymous
        Guest

        Does anyone know if stopping and disabling the spooler service provides a work around for this vulnerability?

        Thanks,

        Jim

        • #2262670 Reply
          anonymous
          Guest

          I think that I can answer my own question.

          After stopping and disabling the Print Spooler service I attempted to run the PowerShell exploit command and it failed due to the service no running.:

          PS C:\Users\Administrator> Add-PrinterPort -Name fafdfdsafds
          Add-PrinterPort : The spooler service is not reachable. Ensure the spooler service is running.
          At line:1 char:1
          + Add-PrinterPort -Name fafdfdsafds
          + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo : NotSpecified: (MSFT_PrinterPortTasks:ROOT/StandardCimv2/MSFT_PrinterPortTasks) [Add-PrinterPort], CimException
          + FullyQualifiedErrorId : HRESULT 0x800706ba,Add-PrinterPort

          I’m just astounded that this ridiculously easy workaround isn’t mentioned by MS or any of the other sites that I’ve looked at on this vulnerability.

          Yeah, you won’t be able to print until you patch, but that’s better than being owned.

          Jim

          • #2262740 Reply
            anonymous
            Guest

            If they can run Powershell to issue that command, they can use SC or WMIC to enable the service you just disabled. Sorry to say but your fix is not good.

            1 user thanked author for this post.
      • #2262694 Reply
        DrBonzo
        AskWoody Plus

        Some of the links in this thread say that 1) the attack code has to be typed into a machine, and/or 2) the attack can’t be spread over the internet.

        Are 1) and 2) implying that the attacker needs physical access to the computer or access to at least a network that the computer is on?

        • #2262749 Reply
          OscarCP
          AskWoody Plus

          DrBonzo,

          I think that the one way the bug can be transmitted is via infected emails or from infected Web sites. They might come from crooks sending phishing emails and setting up phony sites to snare the unwary, or from good and trusted correspondents and Web sites with neither side knowing they have been infected and are unwittingly spreading the poison. The main problem seems to be that, once a computer is infected, the bug opens a backdoor that cannot be closed with a patch. So the relevant patches should be applied before this happens, as preventive vaccine and not after the fact remedy.

          An interesting twist to this story is that the person who developed a proof-of-concept program posted it, with all relevant information, on GitHub, as I presume many others in the same kind of business do, now and then. It looks like GitHub was massively hacked and many programs of all kinds and their documentation were stolen a few days ago (Alex5723 started a thread on that yesterday). Fortunately, the proof-of-concept of interest here was not among that booty, because it was posted on GitHub just over the last two days. This is Alex’s thread, for the benefit of those who may feel curious about this:

          https://www.askwoody.com/forums/topic/microsofts-github-account-has-been-hacked/

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

          1 user thanked author for this post.
      • #2262798 Reply
        Paul T
        AskWoody MVP

        I think that the one way the bug can be transmitted is via infected emails or from infected Web sites

        It’s not that easy. You have to run commands on a machine, either via physical access or persuading the user to run a program, not remotely. This makes it a very low risk unless you are in the habit of running the “latest shiny thing” or leaving your computer unlocked in public.

        cheers, Paul

        1 user thanked author for this post.
        • #2262815 Reply
          anonymous
          Guest

          It’s not that easy. You have to run commands on a machine, either via physical access or persuading the user to run a program, not remotely. This makes it a very low risk…

          It isn’t that low risk though. You don’t need any escalation of priviledge to make this happen. This could be wrapped up in any number of things that a user could be persuaded to execute. Given that some people will run almost any shiny and/or free stuff that comes their way, that makes it quite a serious vulenrability.

          1 user thanked author for this post.
        • #2262859 Reply
          mn–
          AskWoody Lounger

          You have to run commands on a machine, either via physical access or persuading the user to run a program, not remotely.

          Do you mean that isn’t exploitable via PowerShell remoting, Sysinternals PsExec, or the other usual remote admin methods?

          I’d like to have that confirmed…

          1 user thanked author for this post.
          • #2262865 Reply
            woody
            Da Boss

            A lot of people are working on that exact question right now.

      • #2262984 Reply
        OscarCP
        AskWoody Plus

        According what the zdnet article says, it opens a backdoor that cannot be closed with a patch. That sounds odd to me, but there it is.

        https://www.zdnet.com/article/printdemon-vulnerability-impacts-all-windows-versions/

        On an unpatched system, this will install a persistent backdoor, that won’t go away *even after you patch*,” Ionescu said.

        Ionescu is the one who posted the proof-of-concept and associated documentation on GitHub — fortunately after it was, allegedly, massively hacked and many programs and documents kept there got stolen including, I would imagine, other bugs “proofs of concept.” (See link to the relevant thread and, from there, to the article about this in my previous comment.)

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

        • This reply was modified 4 months, 1 week ago by OscarCP.
        1 user thanked author for this post.
      • #2287164 Reply
        anonymous
        Guest

        Hi first post registered because of this thread how gnarly I think this exploit is and the knowledgeable folks talking here I like it.

        Anywho was reading in an article the Stuxnet virus used the print spooler elivation and that was ten years ago and it hasn’t been changed.

        It’s a problem even if your hard drive is encrypted if you’re on windows and dumb enough to get phished into playing yourself, it seems like with the right social engineering and the right “pigeon” it could be doing a ton of damage.  I wonder why it never was changed?

    Viewing 5 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: On the radar: An exploit for CVE-2020-1048, Windows Print Spooler elevation of privilege

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.