tags: #cve-analysis



PrintDemon is an elevation of privilege (EoP) vulnerability that exists in the Windows Print Spooler service as it improperly allows arbitrary file writing on the file system

A local user can craft an print job (via a SHD file) which contains arbitrary data and an arbitrary file path as SYSTEM. This occurs because of two primary reasons.

  • There are specific security checks that exist on the client side when adding a printer port that are missing on the server side, and those checks can be circumvent.
  • The print spooler, when writing the file to disk creates and writes the file as the SYSTEM user if the impersonation token has no context.

Components affected

  • Windows Print Spooler
  • Windows Services
  • Authorization

Security Boundaries

*which security boundaries have been crossed?**

  • User - A user cannot access or tamper with the code and data of another user without being authorized.


connect CVE to a specific topic, event, theme or concept

#lpe #printers #impersonation #clientSideOnlyChecks #privFileWrite


what stars needed to align?

  • Client Side Port Check Vulnerability
    • unprivileged users can add printers (and assign a printer port)
    • ability to assign a printer port to an arbitrary file path.
      • Several APIs are able to do this. Some clients have security checks for the path PortIsValid, some do not. This is a Client Side Port Check Vulnerability.
      • Yes, it was that simple. The UI dialog has a client-side check… the server, does not. And PowerShell’s WMI Print Provider Module… does not.

  • Self Impersonation Privilege Escalation (SIPE)
    • The print spooler relies on capturing the user’s token. but:
    • Normally, this isn’t a big deal, because all subsequent print job operations will have the user’s token captured, and the file accesses will fail. But not… if you reboot, or kill the Spooler in some way.

  • Controlling Print Spooler State

Fundamental Issue / Root Cause

Best Fit Vulnerability Class (or CWE) for this CVE

Is this CVE the Root Cause or a Causal Factor? If not Root, what is?

  • causal factor - major contributor to an undesirable condition that if eliminated, would have either prevented the occurrence of the incident or reduced its severity or frequency

Looking at the requirements, this issue is two fold.

  • ability to assign a printer port to an arbitrary file path.
  • Windows Print Spooler contains a Self Impersonation Privilege Escalation

This CVE addresses specifically the client side check vulnerability. The bigger or root issue being the latter Windows Print Spooler contains a Self Impersonation Privilege Escalation.

Patch Info


If the system is patched, however, this won’t work. Microsoft fixed the vulnerability by now moving the PortIsValid check inside of LcmXcvDataPort. That being said, however, if a malicious port was already created, a user can still “print” to it. This is because of the behavior we explained above — the checks in CanUserAccessTargetFile do not apply to “ports pointing to files” — only when “printing to a file”.


Release DateProductPlatformimpactSeverityArticleDownloadDetails
May 12, 2020Windows 10 Version 1909 for x64-based Systems-Elevation of PrivilegeImportant4556799Security UpdateCVE-2020-1048

Patch - Treating a Symptom or Cure?