CVE-2020-1030

Summary

By default, users can add printers without administrator privileges. This is only applicable if the printer uses a preinstalled or inbox driver.

This is how drivers are allowed to be installed without permission.

The underlying issue for CVE-2020-1030 was that the Windows Print Spooler returned a privileged handle to a normal user. The privileged handle (or printer object) enabled restricted (admin only) Windows Spooler APIs to be called using the privileged handle.

Printer configurations are stored as individual subkeys under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers. The spooler provides APIs for managing configuration data such as EnumPrinterData, GetPrinterData, SetPrinterData, and DeletePrinterData. Underneath, these functions perform registry operations relative to the printer’s key.

Once the printer object is created (Figure 1), we leverage the returned handle to call SetPrinterDataEx and configure the printer’s spool directory. Keep in mind, SetPrinterDataEx requires administrative permission, which is afforded with the handle’s PRINTER_ALL_ACCESS access rights.

The opens up the possibility of creating a printer as a user, changing it’s configuration in the Registry (via the APIs). If the reg keys are changed, they won’t take affect until a reboot. So they used another primitive to load AppVTerminator.dll (located within System32) to kill the spooler.

Enter AppVTerminator.dll. This library is a signed Microsoft binary included in Windows (confirmed on Windows 10). When loaded into spooler, the library calls TerminateProcess which subsequently kills the spoolsv.exe process. This event triggers the recovery mechanism in the Service Control Manager which in turn starts a new spooler process.

By chaining the user configurable “SpoolDirectory” of your created printer, you can set it to a any SYSTEM location that SYSTEM can write to. After Spooler calls CreateDirectory, will modify the DACL of the path to have Write permission for standard users. Which will then allow an attacker to write it’s payload where needed.

To trigger the loadlibrary, simply:

SetPrinterDataEx with the CopyFiles registry key causes the spooler to automatically load the Point and Print DLL assigned in the Module value (Figure 3). This event is triggered when pszKeyName begins with the CopyFiles string (Figure 4). It initiates a sequence of functions leading to LoadLibrary and LoadLibraryEx – Windows API for mapping a DLL into the current process.

Components affected

Windows Print Spooler

Security Boundaries

*which security boundaries have been crossed? **

User boundary - A user cannot access or tamper with the code and data of another user without being authorized.

Hashtags

connect CVE to a specific topic, event, theme or concept #spooler

Requirements

what stars needed to align?

needed a LoadLibrary primitive point and print
Ability to addprinter to retrieve Admin [[Handle (computing)]]
ability to create an arbitrary directory with user WRITE privileges
ability to restart spooler

Fundamental Issue / Root Cause

Best Fit Vulnerability Class (or CWE) for this CVE

Is this CVE the Root Cause or a Causal Factor?

Choose one:

root cause - underlying issue or fundamental reason of a problem or issue
causal factor - major contributor to an undesirable condition that if eliminated, would have either prevented the occurrence of the incident or reduced its severity or frequency

Patch Info

Version

Date - Sep 2020
Link - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030