All Versions of Windows are affected by this vulnerability since 1996

All Versions of Windows are affected by this vulnerability since 1996

Once again, a PrintDemon flaw has come into the limelight that existed for over two decades. Two security researchers Alex Ionescu & Yarden Shafir found a vulnerability in the Windows Print Spooler component responsible for managing the printing process. This vulnerability can be used to elevate privileges, bypass EDR rules, gain persistence, and more. This vulnerability affects all Windows systems dating back to 1996.

The flaw, which they code named it is PrintDemon, which is located in Windows Print Spooler, the primary Windows component responsible for managing print operations.

The service can send data to be printed to a USB/parallel port for physically connected printers; to a TCP port for printers residing on a local network and on the internet and also to a local file, in the rare event the user wants to save a print job for later.

About the PrintDemon Vulnerability:

PrintDemon vulnerability allows an attackers to escalate the privileges of the local user. This means that once an attacker takes access inside an app or a Windows machine as a local user, even with that, the attacker can run something as simple as one unprivileged PowerShell command to gain Administrator Level Privileges over the entire Operating System. Alex Ionescu explained in a tweet that the attacker can exploit CVE-2020-1048 with a single PowerShell Command which can result in persistent impact despite patching.

Tweet of Alex Ionescu

A threat actor who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. A threat actor could then install programs; view, change, or delete data; and also create new accounts with full user rights. Ionescu has also published proof-of-concept code on GitHub with the purpose of aiding security researchers and system administrators to investigate the vulnerability and prepare mitigations and detection capabilities. Click here to download the proof-of-concept from Github.
In fact, Ionescu explained in a tweet that the bug can result in persistent impact despite patching.
Attribution link:

Mitigation of this Vulnerability:

The good news is Microsoft has released the fix for this vulnerability, CVE-2020-1048. Though, the users will receive the patches automatically with other updates. Otherwise, users may also manually update their systems to download the fixes quickly. If you want to know more about this vulnerability in detail then you can read the research paper publish by both researchers from here.

As the flaw PrintDemon is tracked under the CVE-2020-1048 identifier. Two security researchers from SafeBreach Labs, Tomer Bar and Peleg Hadar, were the first to discover the issue and report it to Microsoft under the responsible disclosure program of Microsoft and also they both will be presenting their own report on the issue at the Black Hat security conference which will be organised in August.

Last month, Shafir and Ionescu have also published details and proof-of-concept code for a similar flaw that they named FaxHell.

Does this article being helpful to you? Let us know your thoughts in the comments section and share it with us on Facebook, Twitter, or our LinkedIn Group.


Previous Post Next Post