Attacker Value
High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
4

CVE-2020-1048: Windows Print Spooler Elevation of Privilege Vulnerability

Disclosure Date: May 21, 2020
Exploited in the Wild
Reported by ccondon-r7
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system, aka ‘Windows Print Spooler Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-1070.

Add Assessment

8
Ratings
Technical Analysis

Update: There exist two bypasses to the patch microsoft released. The first, CVE-2020-1337 was presented at blackhat. The second is based on file junctions and is explained here: https://blog.hiveminds.es/en/posts/cve-2020-1337_my_two_cents/

There should be a patch out for the new CVE-2020-1337, but the junction may yet be a zero day. I have not had the opportunity to examine it in detail, though it appears from the blog it requires reboots and maintained access. While not impossible, it is less valuable.

OK, so to start off with, this is bad and you should patch. That said, to my understanding, it is completely disingenuous to say:
Attackers can exploit CVE-2020-1048 with a single PowerShell command:
Add-PrinterPort -Name c:\windows\system32\ualapi.dll

From a cursory read and some playing, I think the way this exploit works is by creating a printer (something regular users can do) and instead of giving it a port, give it a path. That means when it tries to write to the printer port, it finds a file and writes to it. That’s relatively straightforward, but significantly oversimplified. In the above example, we write to a location vulnerable to a dll hijack (C:\windows\system32\ualapi.dll) which is well-known and talked about here: https://enigma0x3.net/2019/07/24/cve-2019-13382-privilege-escalation-in-snagit/.

The novel trick here, like many recent exploits, is magic to get an arbitrary file write to a trusted location.

So to do that, you can use the above command, but you need to set up several steps first, and even then it won’t work as advertised. I really appreciate their work, but In the blog out right now (https://windows-internals.com/printdemon-cve-2020-1048/) the authors attempt to obfuscate to prevent script kiddies so much they miss the mark on assisting and explaining how the exploit works. They take you down so many false leads, it is like talking to a southerner, and after every direction you get, they say “but that’ll do ya no good.” To explain with brevity, run these commands in powershell:

Add-PrinterDriver -Name "Generic / Text Only"
Add-PrinterPort -Name "<whatever>"
Add-Printer -Name "PrintDemon" -DriverName "Generic / Text Only" -PortName "<whatever>"
"Hello World" |  Out-Printer -Name "PrintDemon"

Viola, you create a file with markup trash in it. If this were your payload, it would not run. Unless the authors are hiding something, you need to use the WindowsAPI to actually get a file without any sort of markup garbage in it.
So…. yes, you can write a useless file with that one command….. if you’ve already run several other commands?

There is a PoC, so it is serious, but this is not a single command to root backdoor. It is more like several thousand lines of code and some well-timed execution gets you a rooted backdoor.

General Information

Vendors

  • Microsoft

Products

  • Windows,
  • Windows Server,
  • Windows 10 Version 1909 for 32-bit Systems,
  • Windows 10 Version 1909 for x64-based Systems,
  • Windows 10 Version 1909 for ARM64-based Systems,
  • Windows Server, version 1909 (Server Core installation),
  • Windows 10 Version 1903 for 32-bit Systems,
  • Windows 10 Version 1903 for x64-based Systems,
  • Windows 10 Version 1903 for ARM64-based Systems,
  • Windows Server, version 1903 (Server Core installation)

Additional Info

Technical Analysis