[German]There is a CVE-2020-1048 vulnerability in Windows print spooler that could allow malicious software to gain elevated privileges. But a patch is available since May 12, 2020, and there are a few restriction to misuse that flaw. Here is a brief overview what to know, including a discussion, how critical the vulnerability is.
Windows Print Spooler vulnerability CVE-2020-1048
CVE-2020-1048 is a privilege escalation vulnerability in Windows print spooler service that allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated system privileges. An attacker could then install programs, view, modify, or delete data, or create new accounts with full user privileges.
However, to exploit this vulnerability, an attacker would have to log on to an affected system and execute a specially crafted script or application. Microsoft does not believe that this vulnerability is likely to be exploited. However, on patchday May 12, 2020, the company released security updates for Windows 7 through Windows 10 and the server counterparts to address the vulnerability. The list of updates can be found on this page. Additionally, the Windows security updates for the May 2020 patchday are listed in my articles at the end of this article.
Exploit for CVE-2020-1048
I already recognized the topic yesterday on Twitter reading the following tweet from Alex Ionescu.
Attackers can exploit CVE-2020-1048 with a single PowerShell command:
Add-PrinterPort -Name c:\windows\system32\ualapi.dll
On an unpatched system, this will install a persistent backdoor, that won’t go away *even after you patch*.
See https://t.co/9yMSWNM8VG for more details.
— Alex Ionescu (@aionescu) May 13, 2020
A PowerShell command is sufficient to register a DLL as PrinterPort. A manipulated ualapi.dll would then run with system privileges and can manipulate any files. A backdoor set up in this way would not be removed by subsequent patching – this is a helpful hint. On windows-internals.com Alex Ionescu has described the details. And there is this GitHub page with a PoC. The night Woody Leonhard cover it here as well. But I don’t want to leave this topic without any comment.
A few remarks
Since security updates are available, this vulnerability can be easily closed by users. But there is more to note. Ionescu writes that the vulnerability is also present in older versions of Windows. In fact, only Windows 7 systems that fell out of extended support in January 2020 are still in broader use and receives patches from Microsoft through the ESU program.
But: By default, the execution of PowerShell commands is disabled in Windows. So to run the above PowerShell command, the administrator must have allowed that. So this way is not dangerous for regular users who have never used PowerShell. But that won’t prevent attackers to use their own methods to register a DLL. Nevertheless, they need access to a machine and administrative privileges.
I was wondering the same. These seem to have been added with Windows 8. I suppose the attacker would have to use their own tool for creating the port on Windows 7.
— Mitja Kolsek (@mkolsek) May 13, 2020
From the discussion between VessOnSecurity and Mitja Kolsek (0patch) I gather that the above PowerShell verbs were only introduced in Windows 8. Of course this does not prevent attackers from using their own methods to exploit them. But in all cases, it seems, that an attacker must be an administrator on the system to register print spooler DLLs. However, the DLL then receives the permissions from SYSTEM.
Addendum: Mitja Kolsek just send me a private message. They tested at ACROS Security the PoC. It works in Windows 7 and it don’t need admin rights.
It is good that Alex Ionescu has examined this topic in more detail. But the exploitation requires a m. E. administrator permissions. There is also a patch for the operating systems currently still supported by Microsoft. So every administrator can (and should because of the reasons mentioned above) close the vulnerability via update and is good. Or have I missed something?
Microsoft Office Patchday (May 5, 2020)
Microsoft Security Update Summary (May 12, 2020)
Patchday: Windows 10 Updates (May 12, 2020)
Patchday: Updates for Windows 7/8.1/Server (May 12, 2020)
Cookies helps to fund this blog: Cookie settings