[German]A security researcher has disclosed details of the vulnerability CVE-2020-1337 (Windows Print Spooler Elevation of Privilege Vulnerability) and demonstrated how it can be exploited. The vulnerability affects Windows 7 through Windows 10 and their server counterparts; an update has been available since August 11, 2020.
The vulnerability CVE-2020-1337
There is a vulnerability in the Windows Printer Spooler service that allows privilege escalation. I had already mentioned that whithin my German blog post Windows-Schwachstelle CVE-2020-1337 wird heute gepatcht. Microsoft writes about the vulnerability CVE-2020-1337:
CVE-2020-1337 | Windows Print Spooler Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application.
The update addresses the vulnerability by correcting how the Windows Print Spooler Component writes to the file system.
The Windows print spooler service erroneously allows random writing to the file system. This creates a vulnerability that an attacker can exploit to gain privileges. A successful attacker could execute arbitrary code with elevated system privileges. This would then allow the attacker to install programs, view, modify or delete data, and create new (admin) accounts with full user privileges.
However, the exploitability is limited – an attacker would have to log on to an affected system and execute a specially crafted script or application to exploit this vulnerability. The vulnerability affects Windows 7 through Windows 10 and their server counterparts. As of August 11, 2020 Microsoft has also patched the vulnerability CVE-2020-1337 (Windows Print Spooler Elevation of Privilege Vulnerability) in the supported Windows versions.
Details on the vulnerability CVE-2020-1337
Now Paolo Stagno, the discoverer of the CVE-2020-1337 vulnerability, has revealed his findings in this blog post. He managed to patch the previous vulnerability CVE-2020-1048, which affected all versions of Windows 10.
Just got assigned CVE-2020-1337. Here its Vulnerability description, Root Cause Analysis and PoC for my PrintDemon’s (CVE-2020-1048) Patch Bypass via Junction Directory (TOCTOU). https://t.co/uyms2SIgob pic.twitter.com/8coztrZJBN
— Paolo Stagno (VoidSec) (@Void_Sec) August 11, 2020
Paolo Stagno, the discoverer of the CVE-2020-1337 vulnerability, had his proof of concept (PoC) ready three days after the original security update was released. The whole thing is based on the approach that non-privileged users can add printers to Windows and then print. But the printer port can be a path to a file on the hard disk. In a tricky approach, he reveals to this blog post how this could be exploited by an attacker. Users and administrators should therefore promptly install the August 2020 Windows updates to close the vulnerability. The following YouTube video shows the attack.