PrintDemon: The Demon Striking all the Windows Versions

Recently, two security researchers have released a report about a vulnerability in the Windows printing service. According to the details, the vulnerability impacts all Windows versions, even Windows NT 4 that dates back to 1996.

What’s the story?

  • Codenamed as PrintDemon, the vulnerability is located in Windows Print Spooler, a primary component of the Windows printing interface.
  • The Windows Print Spooler can send data to be printed to a USB/parallel port, transmission control protocol (TCP) port, or a local file. 

How vulnerable is the vulnerability?

  • According to the report, the vulnerability found in the component can be abused to confiscate the internal mechanism of the Printer Spooler.
  • The bug can't be exploited to break into a Windows client remotely or hack Windows systems at random over the internet.
  • The researchers described PrintDemon as a local privilege escalation (LPE) vulnerability.
  • This means that after invading an app or a Windows machine, even with user-mode privileges, an attacker can run simple functions as one unprivileged PowerShell command to achieve administrator-level privileges over the entire operating system.

What attackers can do?

  • The Print Spooler service is available to every app running on a system, without restrictions, which allows an attacker to create a print job that prints to a file.
  • The attacker can initiate the printing operation, crash the Print Spooler service, and let the job resume. However, this time the printing operation runs with system privileges, allowing the attacker to overwrite any files anywhere on the operating system.
  • While exploitation on existing operating system versions requires one single line of PowerShell, older Windows versions might need some tweaking.
  • On an unpatched system, attackers can install a persistent backdoor that doesn’t go away even after the system is patched.

The good news

  • Microsoft released fixes for PrintDemon, tracked under the CVE-2020-1048 identifier, in its May 2020 Patch Tuesday updates.
  • One of the two researchers has also published proof-of-concept code on GitHub to help security researchers and system administrators examine the vulnerability and devise mitigations and detection capabilities.