Attacker Value
High
4

CVE-2020-1048: Windows Print Spooler Elevation of Privilege Vulnerability

Disclosure Date: May 21, 2020

Exploitability

(1 user assessed) Moderate
Attack Vector
Local
Privileges Required
Low
User Interaction
None

Description

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system, aka ‘Windows Print Spooler Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-1070.

Add Assessment

8
Ratings
Technical Analysis

OK, so to start off with, this is bad and you should patch. That said, to my understanding, it is completely disingenuous to say:
Attackers can exploit CVE-2020-1048 with a single PowerShell command:
Add-PrinterPort -Name c:\windows\system32\ualapi.dll

From a cursory read and some playing, I think the way this exploit works is by creating a printer (something regular users can do) and instead of giving it a port, give it a path. That means when it tries to write to the printer port, it finds a file and writes to it. That’s relatively straightforward, but significantly oversimplified. In the above example, we write to a location vulnerable to a dll hijack (C:\windows\system32\ualapi.dll) which is well-known and talked about here: https://enigma0x3.net/2019/07/24/cve-2019-13382-privilege-escalation-in-snagit/.

The novel trick here, like many recent exploits, is magic to get an arbitrary file write to a trusted location.

So to do that, you can use the above command, but you need to set up several steps first, and even then it won’t work as advertised. I really appreciate their work, but In the blog out right now (https://windows-internals.com/printdemon-cve-2020-1048/) the authors attempt to obfuscate to prevent script kiddies so much they miss the mark on assisting and explaining how the exploit works. They take you down so many false leads, it is like talking to a southerner, and after every direction you get, they say “but that’ll do ya no good.” To explain with brevity, run these commands in powershell:

Add-PrinterDriver -Name "Generic / Text Only"
Add-PrinterPort -Name "<whatever>"
Add-Printer -Name "PrintDemon" -DriverName "Generic / Text Only" -PortName "<whatever>"
"Hello World" |  Out-Printer -Name "PrintDemon"

Viola, you create a file with markup trash in it. If this were your payload, it would not run. Unless the authors are hiding something, you need to use the WindowsAPI to actually get a file without any sort of markup garbage in it.
So…. yes, you can write a useless file with that one command….. if you’ve already run several other commands?

There is a PoC, so it is serious, but this is not a single command to root backdoor. It is more like several thousand lines of code and some well-timed execution gets you a rooted backdoor.

General Information

Additional Info

Technical Analysis