Among the vulnerabilities patched by Microsoft on May 2020 Patch Tuesday is CVE-2020-1048, a “lowly” privilege escalation vulnerability in the Windows Print Spooler service.
The vulnerability did not initially get much public attention but, as security researchers have since noted, the attackers who deployed Stuxnet ten years ago used a similar one to great effect.
CVE-2020-1048, which affects Windows 7, 8.1, and 10 and Windows Server 2008, 2012, 2016, and 2019, arises from the Windows Print Spooler service improperly allowing arbitrary writing to the file system.
“An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft explained.
The vulnerability is not exploitable remotely – an attacker must already have access to the target system (be logged on) to be able to run a specially crafted script or application that will exploit the flaw.
What’s the big deal?
Though researchers Peleg Hadar and Tomer Bar from SafeBreach Labs have been credited with the discovery of CVE-2020-1048, the flaw is one of several Print Spooler issues that researchers Yarden Shafir and Alex Ionescu of Winsider have also discovered around the same time.
“Print Spooler continues to be one of the oldest Windows components that still hasn’t gotten much scrutiny, even though it’s largely unchanged since Windows NT 4,” Shafir and Ionescu noted, but obviously that’s changing.
Shafir and Alex Ionescu shared more technical details about CVE-2020-1048 and explained how it can be used to elevate privileges, bypass EDR rules, gain persistence, and more. They’ve also released PoC exploit code and dubbed the flaw “PrintDemon”.
The general advice is to implement the patch as soon as possible as, they claim, the flaw is easy to exploit with a single PowerShell command.
Attackers can exploit CVE-2020-1048 with a single PowerShell command:
Add-PrinterPort -Name c:\windows\system32\ualapi.dll
On an unpatched system, this will install a persistent backdoor, that won't go away *even after you patch*.
See https://t.co/9yMSWNM8VG for more details.
— Alex Ionescu (@aionescu) May 13, 2020
While some, like Rapid7 researcher Brendan Watters, dispute the ease of exploitation, there’s no doubt that patching is a good move.