CVE-2020-1048: Windows Print Spooler Elevation of Privilege Vulnerability

2020-05-2100:00:00

attackerkb.com

183

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

JSON

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system, aka ‘Windows Print Spooler Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-1070.

Recent assessments:

bwatters-r7 at May 14, 2020 12:36am UTC reported:

Update: There exist two bypasses to the patch microsoft released. The first, CVE-2020-1337 was presented at blackhat. The second is based on file junctions and is explained here: <https://blog.hiveminds.es/en/posts/cve-2020-1337_my_two_cents/>

There should be a patch out for the new CVE-2020-1337, but the junction may yet be a zero day. I have not had the opportunity to examine it in detail, though it appears from the blog it requires reboots and maintained access. While not impossible, it is less valuable.

OK, so to start off with, this is bad and you should patch. That said, to my understanding, it is completely disingenuous to say:
Attackers can exploit CVE-2020-1048 with a single PowerShell command:
Add-PrinterPort -Name c:\windows\system32\ualapi.dll

From a cursory read and some playing, I think the way this exploit works is by creating a printer (something regular users can do) and instead of giving it a port, give it a path. That means when it tries to write to the printer port, it finds a file and writes to it. That’s relatively straightforward, but significantly oversimplified. In the above example, we write to a location vulnerable to a dll hijack (C:\windows\system32\ualapi.dll) which is well-known and talked about here: <https://enigma0x3.net/2019/07/24/cve-2019-13382-privilege-escalation-in-snagit/>.

The novel trick here, like many recent exploits, is magic to get an arbitrary file write to a trusted location.

So to do that, you can use the above command, but you need to set up several steps first, and even then it won’t work as advertised. I really appreciate their work, but In the blog out right now (<https://windows-internals.com/printdemon-cve-2020-1048/>) the authors attempt to obfuscate to prevent script kiddies so much they miss the mark on assisting and explaining how the exploit works. They take you down so many false leads, it is like talking to a southerner, and after every direction you get, they say “but that’ll do ya no good.” To explain with brevity, run these commands in powershell:

Add-PrinterDriver -Name "Generic / Text Only"
Add-PrinterPort -Name "&lt;whatever&gt;"
Add-Printer -Name "PrintDemon" -DriverName "Generic / Text Only" -PortName "&lt;whatever&gt;"
"Hello World" |  Out-Printer -Name "PrintDemon"

Viola, you create a file with markup trash in it. If this were your payload, it would not run. Unless the authors are hiding something, you need to use the WindowsAPI to actually get a file without any sort of markup garbage in it.
So…. yes, you can write a useless file with that one command…… if you’ve already run several other commands?

There is a PoC, so it is serious, but this is not a single command to root backdoor. It is more like several thousand lines of code and some well-timed execution gets you a rooted backdoor.

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 3