Although Microsoft vigilantly patches hundreds of bugs every month, though something always gets missed. While most of the bugs requiring urgent attention are new, sometimes, researchers also discover bugs existing for decades. Once again, a PrintDemon vulnerability has come into the limelight that existed for over two decades.
PrintDemon Vulnerability In Windows
Researchers have caught a serious vulnerability in the Windows Print Spooler component responsible for managing the printing process. Dubbed PrintDemon, the vulnerability affects all Windows systems dating back to 1996.
The bug first caught the attention of SafeBreach Labs researchers, Peleg Hadar and Tomer Bar.
Whereas, Yarden Shafir & Alex Ionescu have shared their own details about the bug in a blog post.
Briefly, a local privilege escalation vulnerability existed in this Windows component that remained “largely unchanged since Windows NT 4”.
The exploitation of thig bug in the wild is less likely since the bug cannot assist in remote attacks. However, for local attacks, the bug bears tremendous potential. Since it exists in the ‘Print’ service, something related to almost every app on a system, a potential attacker can easily exploit the vulnerability to gain elevated privileges (including admin) on the device.
In fact, Ionescu explained in a tweet that the bug can result in persistent impact despite patching.
Attackers can exploit CVE-2020-1048 with a single PowerShell command:
Add-PrinterPort -Name c:windowssystem32ualapi.dll
On an unpatched system, this will install a persistent backdoor, that won't go away *even after you patch*.
See https://t.co/9yMSWNM8VG for more details.
— Alex Ionescu (@aionescu) May 13, 2020
The SafeBreach Labs duo will present their findings in the upcoming BlackHat USA 2020. Yet, Ionescu has shared a PoC on GitHub.
Patches Rolled Out
With this month’s Patch Tuesday updates, Microsoft has released the fix for this vulnerability, CVE-2020-1048, as well. Describing the details in an advisory, Microsoft stated,
An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Though, the users will receive the patches automatically with other updates.
Nonetheless, users may also manually update their systems to download the fixes quickly.
Let us know your thoughts in the comments.