View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 13, 2020updated 14 Aug 2020 1:15pm

Windows’ Print Spooler: The Gift that Keeps Giving to Attackers?

"This behavior, which dates back to Windows NT 4, is apparently by design and will not be remediated"

By CBR Staff Writer

The patch for a severe privilege escalation vulnerability in Windows issued in May by Microsoft was bypassed within days and has had to be fixed again in August’s Patch Tuesday batch of software updates from Redmond.

May’s so called PrintDemon bug in Windows Print Spooler service lets an attacker — able to execute low-privileged code on a machine — establish a persistent backdoor, then return at any point and escalate privileges to SYSTEM.

The exploit involves a few short PowerShell commands and once the backdoor is set up, it will persist even after a patch for the vulnerability has been applied, as a detailed blog by the ZDI’s Simon Zuckerbraun notes.

The issue is one that should be firmly on the radar of CISOs, owing to the persistence of the privilege escalation, numerous detailed write-ups/PoCs, and the seemingly endless enterprise challenge of basic patching hygiene. (Known software security flaws allowed local network penetration at 39% of companies, according to a review of Positive Technologies’ pen testing engagements in 2019).

The latest fix comes with attribution to seven separate security teams: this bug is on a lot of radars — no doubt increasingly criminal ones too.


Software in which known security flaws allowed network access: Positive Technologies


Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester



The PrintDemon attack was first allocated CVE-2020-1048 and credited to Peleg Hadar and Tomer Bar of SafeBreach Labs. It involves a bug in Microsoft’s print spooler — an aging application that manages the printing jobs.

As Yarden Shafir and Alex Ionescu noted in a detailed write-up in May, “Because the Spooler service, implemented in Spoolsv.exe, runs with SYSTEM privileges, and is network accessible, these two elements have drawn people to perform all sorts of interesting attacks” — many of which have worked and resulted in hardening by Microsoft. As they noted, however, “there remain a number of logical issues, that one could call downright design flaws which lead to some interesting behavior…”

CVE-2020-1048 lets an attacker bypass existing safety mechanisms in two ways.

1) Tests to ensure users creating a port have write access to the requested file take place in a UI component, whereas PowerShell’s Add-PrinterPort does not contain the security check offered by the original UI client;

2) as Zuckerbraun notes of the second safety check at print time: “Spooled print jobs persist over reboots… If a reboot has intervened, so that the original token associated with the print job is no longer available, then the Print Spooler executes the job using a token associated with the process’s identity of SYSTEM… this behavior, which dates back to Windows NT 4, is apparently by design and will not be remediated.”

Just 13 days after the May patch, a security researcher reported a bypass to the ZDI’s bug bounty programme that demonstrated how Microsoft’s fix fundamentally failed to prevent exploitation of the vulnerability.

(This popped up in August’s Patch Tuesday as CVE-2020-1337; like the earlier PrintDemon bug, with a CVSS score of 7 that may tempt those patching to de-prioritise it: something that’s probably entirely wise).

As Microsoft described it: “An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

A sweeping range of recent Windows 10, 8, and Server iterations are affected and a proof-of-concept is alive and kicking. While the attack may seem a little esoteric and frankly unnecessary for most given easier ways of getting access, for CISOs protecting sensitive environments, it’s the kind of persistent, nagging headache of a vulnerability that should be high on security teams radars.

More granular details on CVE-2020-1337 are here. On CVE-2020-1048 here



Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.