tags: #cve-analysis
- metadata
- CVE #: CVE-2020-1048
- Related CWE(s):
- Related CVE(s):
- created: 2021-02-02
- title: Client Side Port Check Vulnerability (CVE-2020-1048)
- web:
- https://github.com/shubham0d/CVE-2020-1048
- https://windows-internals.com/printdemon-cve-2020-1048/
- https://github.com/ionescu007/PrintDemon
- https://i.blackhat.com/USA-20/Thursday/us-20-Hadar-A-Decade-After-Stuxnet-Printer-Vulnerability-Printing-Is-Still-The-Stairway-To-Heaven.pdf
- platform: Windows
- descriptor tags: #cve #security #printers
CVE-2020-1048
Summary
PrintDemon is an elevation of privilege (EoP) vulnerability that exists in the Windows Print Spooler service as it improperly allows arbitrary file writing on the file system
A local user can craft an print job (via a SHD file) which contains arbitrary data and an arbitrary file path as SYSTEM. This occurs because of two primary reasons.
- There are specific security checks that exist on the client side when adding a printer port that are missing on the server side, and those checks can be circumvent.
- The print spooler, when writing the file to disk creates and writes the file as the
SYSTEMuser if the impersonation token has no context.
Components affected
- Windows Print Spooler
- Windows Services
- Authorization
Security Boundaries
*which security boundaries have been crossed?**
- User - A user cannot access or tamper with the code and data of another user without being authorized.
Hashtags
connect CVE to a specific topic, event, theme or concept
#lpe #printers #impersonation #clientSideOnlyChecks #privFileWrite
Requirements
what stars needed to align?
- Client Side Port Check Vulnerability
- unprivileged users can add printers (and assign a printer port)
- ability to assign a printer port to an arbitrary file path.
- Several APIs are able to do this. Some clients have security checks for the path
PortIsValid, some do not. This is a Client Side Port Check Vulnerability. Yes, it was that simple. The UI dialog has a client-side check… the server, does not. And PowerShell’s WMI Print Provider Module… does not.
- Several APIs are able to do this. Some clients have security checks for the path
- Self Impersonation Privilege Escalation (SIPE)
- The print spooler relies on capturing the user’s token. but:
Normally, this isn’t a big deal, because all subsequent print job operations will have the user’s token captured, and the file accesses will fail. But not… if you reboot, or kill the Spooler in some way.
- Controlling Print Spooler State
Fundamental Issue / Root Cause
Best Fit Vulnerability Class (or CWE) for this CVE
Is this CVE the Root Cause or a Causal Factor? If not Root, what is?
- causal factor - major contributor to an undesirable condition that if eliminated, would have either prevented the occurrence of the incident or reduced its severity or frequency
Looking at the requirements, this issue is two fold.
- ability to assign a printer port to an arbitrary file path.
- Windows Print Spooler contains a Self Impersonation Privilege Escalation
This CVE addresses specifically the client side check vulnerability. The bigger or root issue being the latter Windows Print Spooler contains a Self Impersonation Privilege Escalation.
Patch Info
Summary
If the system is patched, however, this won’t work. Microsoft fixed the vulnerability by now moving the
PortIsValidcheck inside ofLcmXcvDataPort. That being said, however, if a malicious port was already created, a user can still “print” to it. This is because of the behavior we explained above — the checks inCanUserAccessTargetFiledo not apply to “ports pointing to files” — only when “printing to a file”.
Version
| Release Date | Product | Platform | impact | Severity | Article | Download | Details |
|---|---|---|---|---|---|---|---|
| May 12, 2020 | Windows 10 Version 1909 for x64-based Systems | - | Elevation of Privilege | Important | 4556799 | Security Update | CVE-2020-1048 |