A vulnerability in a decades-old Windows component that controls printing on machines running the operating system could be abused by malicious actors to gain elevated privileges on the targeted system, according to security researchers Yarden Shafir and Alex Ionescu.
The flaw, which they dubbed PrintDemon, resides in Windows Print Spooler and affects all Windows versions since Windows NT4.0, released in 1996. The component has remained largely unchanged since; another vulnerability affecting it was abused by the infamous Stuxnet a decade ago.
“An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” said Microsoft. Windows 7, 8.1, 10, and Windows Server 2008, 2012, 2016, and 2019 all contained the vulnerability.
Attackers can exploit CVE-2020-1048 with a single PowerShell command:
Add-PrinterPort -Name c:windowssystem32ualapi.dll
On an unpatched system, this will install a persistent backdoor, that won’t go away *even after you patch*.
See https://t.co/9yMSWNM8VG for more details.
— Alex Ionescu (@aionescu) May 13, 2020
Indexed as CVE-2020-1048, the flaw cannot be abused remotely, however. Microsoft deemed its exploitation as not particularly likely and said that an attacker would need to log on to an affected system and use a specially written script or application. The vulnerability can be abused to elevate privileges, bypass endpoint detection and response rules, and gain persistence.
Peleg Hadar and Tomer Bar from SafeBreach Labs have been credited with the discovery of the flaw.
As part of this month’s Patch Tuesday, which plugged a total of 111 security holes, Microsoft changed how the Windows Print Spooler Component writes data to the file system. You’re best advised to download and apply the update. No patch is available for systems past end of life, however.