On the radar: An exploit for CVE-2020-1048, Windows Print Spooler elevation of privilege

Topic

New Reply

It isn’t yet time to go screaming for the exits, but there’s an important analysis of the CVE-2020-1048 security hole, patched in this month’s Patch T
[See the full post at: On the radar: An exploit for CVE-2020-1048, Windows Print Spooler elevation of privilege]

2 users thanked author for this post.

abbodi86, geekdom

Reply | Quote

Replies

Does anyone know if stopping and disabling the spooler service provides a work around for this vulnerability?

Thanks,

Jim

Reply | Quote

I think that I can answer my own question.

After stopping and disabling the Print Spooler service I attempted to run the PowerShell exploit command and it failed due to the service no running.:

PS C:\Users\Administrator> Add-PrinterPort -Name fafdfdsafds
Add-PrinterPort : The spooler service is not reachable. Ensure the spooler service is running.
At line:1 char:1
+ Add-PrinterPort -Name fafdfdsafds
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MSFT_PrinterPortTasks:ROOT/StandardCimv2/MSFT_PrinterPortTasks) [Add-PrinterPort], CimException
+ FullyQualifiedErrorId : HRESULT 0x800706ba,Add-PrinterPort

I’m just astounded that this ridiculously easy workaround isn’t mentioned by MS or any of the other sites that I’ve looked at on this vulnerability.

Yeah, you won’t be able to print until you patch, but that’s better than being owned.

Jim

Reply | Quote

If they can run Powershell to issue that command, they can use SC or WMIC to enable the service you just disabled. Sorry to say but your fix is not good.

1 user thanked author for this post.

Biiljoy

Reply | Quote

Some of the links in this thread say that 1) the attack code has to be typed into a machine, and/or 2) the attack can’t be spread over the internet.

Are 1) and 2) implying that the attacker needs physical access to the computer or access to at least a network that the computer is on?

Reply | Quote

DrBonzo,

I think that the one way the bug can be transmitted is via infected emails or from infected Web sites. They might come from crooks sending phishing emails and setting up phony sites to snare the unwary, or from good and trusted correspondents and Web sites with neither side knowing they have been infected and are unwittingly spreading the poison. The main problem seems to be that, once a computer is infected, the bug opens a backdoor that cannot be closed with a patch. So the relevant patches should be applied before this happens, as preventive vaccine and not after the fact remedy.

An interesting twist to this story is that the person who developed a proof-of-concept program posted it, with all relevant information, on GitHub, as I presume many others in the same kind of business do, now and then. It looks like GitHub was massively hacked and many programs of all kinds and their documentation were stolen a few days ago (Alex5723 started a thread on that yesterday). Fortunately, the proof-of-concept of interest here was not among that booty, because it was posted on GitHub just over the last two days. This is Alex’s thread, for the benefit of those who may feel curious about this:

https://www.askwoody.com/forums/topic/microsofts-github-account-has-been-hacked/

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

DrBonzo

Reply | Quote

OscarCP wrote:

I think that the one way the bug can be transmitted is via infected emails or from infected Web sites

It’s not that easy. You have to run commands on a machine, either via physical access or persuading the user to run a program, not remotely. This makes it a very low risk unless you are in the habit of running the “latest shiny thing” or leaving your computer unlocked in public.

cheers, Paul

1 user thanked author for this post.

DrBonzo

Reply | Quote

It’s not that easy. You have to run commands on a machine, either via physical access or persuading the user to run a program, not remotely. This makes it a very low risk…

It isn’t that low risk though. You don’t need any escalation of priviledge to make this happen. This could be wrapped up in any number of things that a user could be persuaded to execute. Given that some people will run almost any shiny and/or free stuff that comes their way, that makes it quite a serious vulenrability.

1 user thanked author for this post.

DrBonzo

Reply | Quote

Paul T wrote:

You have to run commands on a machine, either via physical access or persuading the user to run a program, not remotely.

Do you mean that isn’t exploitable via PowerShell remoting, Sysinternals PsExec, or the other usual remote admin methods?

I’d like to have that confirmed…

1 user thanked author for this post.

woody

Reply | Quote

A lot of people are working on that exact question right now.

Reply | Quote

[OscarCP]

According what the zdnet article says, it opens a backdoor that cannot be closed with a patch. That sounds odd to me, but there it is.

https://www.zdnet.com/article/printdemon-vulnerability-impacts-all-windows-versions/

“On an unpatched system, this will install a persistent backdoor, that won’t go away *even after you patch*,” Ionescu said.”

Ionescu is the one who posted the proof-of-concept and associated documentation on GitHub — fortunately after it was, allegedly, massively hacked and many programs and documents kept there got stolen including, I would imagine, other bugs “proofs of concept.” (See link to the relevant thread and, from there, to the article about this in my previous comment.)

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

• This reply was modified 5 years ago by OscarCP.

1 user thanked author for this post.

Alex5723

Reply | Quote

Hi first post registered because of this thread how gnarly I think this exploit is and the knowledgeable folks talking here I like it.

Anywho was reading in an article the Stuxnet virus used the print spooler elivation and that was ten years ago and it hasn’t been changed.

It’s a problem even if your hard drive is encrypted if you’re on windows and dumb enough to get phished into playing yourself, it seems like with the right social engineering and the right “pigeon” it could be doing a ton of damage.  I wonder why it never was changed?

Reply | Quote