PrintDemon: The Demon Striking all the Windows Versions

Recently a report about vulnerability in the Windows printing service has been released. Vulnerability named as PrintDemon. According to the details, it impacts all Windows versions, even Windows NT 4 that dates back to 1996.

The vulnerability is located in Windows Print Spooler, a primary component of the Windows printing interface. The service can send data to be printed to a USB/parallel port, transmission control protocol (TCP) port, or a local file.

Security researchers found a bug in this old component that can be abused to hijack the Printer Spooler internal mechanism. The bug can’t be used to break into a Windows client remotely over the internet, so it’s not something that could be exploited to hack Windows systems at random over the internet.

According to the report, the vulnerability can be abused to confiscate the internal mechanism of the Printer Spooler.

It can be described as local privilege escalation (LPE) vulnerability. This means that after invading an app or a Windows machine, even with user-mode privileges, an attacker can run simple functions as one unprivileged PowerShell command to achieve administrator-level privileges over the entire operating system.

What attackers can do?

The Print Spooler service is available to every app running on a system, without restrictions. It allows an attacker to create a print job that prints to a file. For example, a local DLL file used by the OS or another app.

The attacker can initiate the printing operation, and crash the Print Spooler service intentionally, and then let the job resume, but this time the printing operation runs with SYSTEM privileges, allowing it to overwrite any files anywhere on the OS.

Exploitation on existing OS versions requires one single line of PowerShell, while older Windows versions might need some changes. On an unpatched system, attackers can install a persistent backdoor that doesn’t go away even after the system is patched.

Recommendations:

  • Microsoft released fixes for PrintDemon, tracked under the CVE-2020-1048 identifier.
  • The proof-of-concept code is available on GitHub to help security researchers and system administrators examine the vulnerability and devise mitigations and detection capabilities.
  • Make sure the system should be updated and all software is working on its latest version.
  • Avoid working on an out dated operating system. Always work on its latest version.
  • Be more careful about printer driver and printer port. These two elements have drawn attacker to perform all sorts of interesting attacks.
  • PrintDemon is a PoC for a series of issues. Follow https://windows- internals.com/printdemon-cve-2020-1048/ for all of the information.