• On the radar: An exploit for CVE-2020-1048, Windows Print Spooler elevation of privilege

    Posted on May 13, 2020 at 18:17 CDT by Comment in the Forums

    It isn’t yet time to go screaming for the exits, but there’s an important analysis of the CVE-2020-1048 security hole, patched in this month’s Patch Tuesday crop. Yarden Shafir and Alex Ionescu dive deep into the “PrintDemon” vulnerability in Windows Internals.

    We can finally talk about some of the very exciting technical details of the Windows Print Spooler, and interesting ways it can be used to elevate privileges, bypass EDR rules, gain persistence, and more. Ironically, the Print Spooler continues to be one of the oldest Windows components that still hasn’t gotten much scrutiny, even though it’s largely unchanged since Windows NT 4, and was even famously abused by Stuxnet

    At this point, Shafir and Ionescu have found a way to use the hole with an (unprivileged!) PowerShell command:

    Add-PrinterPort -Name c:\windows\system32\ualapi.dll

    At this point the attack code has to be typed into a machine, so the hole is a long way from being weaponized in a mainstream attack. But I’ll definitely be watching to see if it turns into something you need to be worried about.

    Thx, @endi24

    UPDATE: Interesting take from Rob VandenBrink on the ISC Storm Center.

    Microsoft rated this as:

    Disclosed: NO
    Exploited: NO
    Exploitability (old and new versions) Exploitation Less Likely

    Unfortunately, this vulnerabiltiy was actually disclosed to Microsoft by the research community (see below), so the code to exploit it absolutely does exist and was disclosed, and a full write-up was posted as soon as the patch came out… Don’t put too much stock in risk ratings assigned to patches.  “Lows” and “Mediums” can bite you just as badly as vulnerabilities rated as “High”.  This goes for patches as well as scan results or pentest results.  If your policy is to patch only Severe and High rated issues, you’ll pay for that eventually.

    I just looked at the CVE article again and, sure enough, it’s still listed as not disclosed, not exploited, and Exploitation less likely.

    ANOTHER UPDATE: Vess Bontchev and Nathan McNulty are trying to figure out how to make it work on Win7. No success report as yet.

    Windows Patches/Security
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    April 2025
    S M T W T F S
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.