Skip to content

Latest commit

 

History

History
100 lines (72 loc) · 5.28 KB

CVE-2020-1048.md

File metadata and controls

100 lines (72 loc) · 5.28 KB
layout title parent grand_parent
default
CVE-2020-1048
CVEs
Resources

tags: #cve-analysis

CVE-2020-1048

Summary

PrintDemon is an elevation of privilege (EoP) vulnerability that exists in the Windows Print Spooler service as it improperly allows arbitrary file writing on the file system

A local user can craft an print job (via a SHD file) which contains arbitrary data and an arbitrary file path as SYSTEM. This occurs because of two primary reasons.

  • There are specific security checks that exist on the client side when adding a printer port that are missing on the server side, and those checks can be circumvent.
  • The print spooler, when writing the file to disk creates and writes the file as the SYSTEM user if the impersonation token has no context.

Components affected

  • Windows Print Spooler
  • Windows Services
  • Authorization

Security Boundaries

which security boundaries have been crossed?*

  • User - A user cannot access or tamper with the code and data of another user without being authorized.

Hashtags

connect CVE to a specific topic, event, theme or concept

#lpe #printers #impersonation #clientSideOnlyChecks #privFileWrite

Requirements

what stars needed to align?

  • Client Side Port Check Vulnerability
    • unprivileged users can add printers (and assign a printer port)
    • ability to assign a printer port to an arbitrary file path.
      • Several APIs are able to do this. Some clients have security checks for the path PortIsValid, some do not. This is a Client Side Port Check Vulnerability.
      • Yes, it was that simple. The UI dialog has a client-side check… the server, does not. And PowerShell’s WMI Print Provider Module… does not.

  • Self Impersonation Privilege Escalation (SIPE)
    • The print spooler relies on capturing the user's token. but:
    • Normally, this isn’t a big deal, because all subsequent print job operations will have the user’s token captured, and the file accesses will fail. But not… if you reboot, or kill the Spooler in some way.

  • Controlling Print Spooler State

Fundamental Issue / Root Cause

Best Fit Vulnerability Class (or CWE) for this CVE

Is this CVE the Root Cause or a Causal Factor? If not Root, what is?

  • causal factor - major contributor to an undesirable condition that if eliminated, would have either prevented the occurrence of the incident or reduced its severity or frequency

Looking at the requirements, this issue is two fold.

  • ability to assign a printer port to an arbitrary file path.
  • Windows Print Spooler contains a Self Impersonation Privilege Escalation

This CVE addresses specifically the client side check vulnerability. The bigger or root issue being the latter Windows Print Spooler contains a Self Impersonation Privilege Escalation.

Patch Info

Summary

If the system is patched, however, this won’t work. Microsoft fixed the vulnerability by now moving the PortIsValid check inside of LcmXcvDataPort. That being said, however, if a malicious port was already created, a user can still “print” to it. This is because of the behavior we explained above — the checks in CanUserAccessTargetFile do not apply to “ports pointing to files” — only when “printing to a file”.[](Windows Print Spooler contains a Self Impersonation Privilege Escalation)

Version

Release Date Product Platform impact Severity Article Download Details
May 12, 2020 Windows 10 Version 1909 for x64-based Systems - Elevation of Privilege Important 4556799 Security Update CVE-2020-1048

Patch - Treating a Symptom or Cure?