Researchers flag two zero-days in Windows Print Spooler
In May 2020, Microsoft patched CVE-2020-1048, a privilege escalation vulnerability in the Windows Print Spooler service discovered by Peleg Hadar and Tomer Bar from SafeBreach Labs.
A month later, the two researchers found a way to bypass the patch and re-exploit the vulnerability on the latest Windows version. Microsoft assigned this vulnerability a new identification number – CVE-2020-1337 – and will patch it on August 2020 Patch Tuesday. They’ve also discovered a DoS flaw affecting the same service, which won’t be patched.
What is the Print Spooler?
“The primary component of the printing interface is the print spooler. The print spooler is an executable file that manages the printing process. Management of printing involves retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, scheduling the print job for printing, and so on. The spooler is loaded at system startup and continues to run until the operating system is shut down,” Microsoft explains.
“The Print Spooler code is at least 20 years old. In general, older code tends to contain old bugs and might be more risky because of security flaws but, in fact, there were only few discovered vulnerabilities in the spooler service during the last 20+ years,” Hadar told Help Net Security.
One of those is CVE-2010-2729, the privilege escalation vulnerability exploited years ago by Stuxnet. Another is CVE-2020-1048, the aforementioned Print Spooler flaw patched in May 2020.
The newly discovered Windows Print Spooler zero-days
Hadar and Bar shared more information about the two discovered zero-days at Black Hat USA 2020 this week.
CVE-2020-1337 is a local privilege escalation vulnerability that affects all the Windows releases from Windows 7 to Windows 10 (32 and 64-bit).
Aside from allowing attackers to achieve SYSTEM privileges, it can also be used as a persistence technique, Hadar explained, by using the following steps:
- A malicious code might trigger the vulnerability in each OS restart by writing shd and spl files to the spooler folder
- After the OS will reboot, the spooler service will process the shd file and spl files, the vulnerability will be exploited and the Spooler will re-write the malware’s dll to a path under system32 that is vulnerable to dll hijacking and will be loaded by a system process.
The local DoS vulnerability is an old one: it can be exploited on all Windows releases from 2000 to Windows 10 (32 and 64-bit).
This one didn’t get a CVE number and won’t be patched, as Microsoft says it “doesn’t meet its servicing bar for security updates.”
More details about the two flaws can be found in this whitepaper.
The researchers have released an exploit PoC for CVE-2020-1048 and the spooler DoS flaw and will release one for CVE-2020-1337 next week, after the patch is made available.
Tools for mitigation and further research
They’ve also released a PoC of a mini filter kernel-driver for mitigating Elevation-of-Privilege vulnerabilities (due to arbitrary writing to the file system).
“One of the root causes of the arbitrary file write bug class (in the context of local privilege escalation) is the fact that an unprivileged user is allowed to write directly to folders which are being handled directly by services which run as NT AUTHORITY\SYSTEM,” they explained.
The driver demonstrates how one can prevent the exploitation of such vulnerabilities in real-time (though, they warned, the code is for demonstration purposes only and should not be used in a production environment).
They’ve also made available an SHD file template for the 010 hex editor, to help other researchers start their own research on the Print Spooler mechanism.
All of these releases are available from this GitHub repository.